Microsoft Updates Cloud Agreements Following EU Probe

Matthew Broersma,
cloud security

New cloud contract terms to roll out worldwide after European regulators found ‘serious concerns’ over the way Microsoft was handling citizens’ data

Microsoft is planning to roll out changes to its Online Service Terms (OST) for all its commercial cloud customers worldwide after EU regulators found “serious concerns” with the company’s compliance with European data protection law.

The European Data Protection Supervisor (EDPS) said in November there was “significant scope for improvement” in contracts between public administrations and software and online services providers.

It cited risk assessments carried out by the Dutch Ministry of Justice and Security as indicating that similar issues are faced by EU member states’ public authorities, as well as agencies such as the European Commission that do business with Microsoft.

The EDPS launched its investigation in April and the probe is ongoing.

Data control

Microsoft is classed as a “data processor” under the EU’s GDPR data protection rules, which came into force last year, insomuch as it handles large amounts of citizens’ data on behalf of public authorities.

But as “data controllers”, those public agencies have primary responsibility for the data and are obliged to ensure the compliance of their arrangements with processors.

Microsoft said its new terms will clarify that Microsoft assumes the role of data controller, rather than data processor, when it processes data for certain administrative and operational purposes, such as account management, financial reporting and complying with its legal obligations.

The company said increasing Microsoft’s responsibility for this subset of the data would provide more “clarity” for customers about how it uses the data and about its commitment to data protection compliance.

Privacy

“Meanwhile, Microsoft will remain the data processor for providing the services, improving and addressing bugs or other issues related to the service, ensuring security of the services, and keeping the services up to date,” said Microsoft chief privacy officer Julie Brill in a Monday blog post.

The new terms reflect contractual changes developed with the Dutch Ministry of Justice earlier this year.

They are set to roll out to all commercial customers, including public and private organisations and both large and small companies, at the beginning of 2020.

The rules apply to Microsoft cloud-based services such as Office 365 ProPlus and Office 365.