EU Data Regulator Finds ‘Serious Concerns’ Over Microsoft Contracts

The EU’s data protection authority said on Monday it has uncovered “serious concerns” over the way citizens’ data is treated under contracts between Microsoft and EU agencies.

In April the European Data Protection Supervisor (EDPS) began an investigation into whether Microsoft’s contracts with EU institutions such as the European Commission are fully compliant with the GDPR data protection regulations introduced last year.

Such agencies outsource the processing of large amounts of citizens’ personal data to software and services groups such as Microsoft, which are considered “data processors” under the GDPR.

As “data controllers”, however, the EU agencies themselves remain accountable under data protection law and are obliged to ensure the compliance of their arrangements with processors.


“Though the investigation is still ongoing, preliminary results reveal serious concerns over the compliance of the relevant contractual terms with data protection rules and the role of Microsoft as a processor for EU institutions using its products and services,” the EDPS said.

It cited risk assessments carried out by the Dutch Ministry of Justice and Security as indicating that similar issues are faced by member states’ public authorities.

The EDPS cited amended terms, technical safeguards and settings agreed between the Dutch ministry and  Microsoft as showing that there is “significant scope for improvement” in contracts between public administrations and software and online services providers.

The data protection authority said it wants similar deals to be put into place for other public and private bodies in the EU, as well as for individuals in the region.

It has established a forum aimed at “taking back control” of IT services and products by collectively creating standard contracts rather than accepting the terms and conditions supplied by providers.

‘Step forward’

“The EDPS encourages all concerned parties to join the forum and help us to set fair contractual terms for public administration,” the agency said.

The Dutch deal with Microsoft is a “positive step forward” and should be applied to all consumers and public authorities in the region, said the assistant EDPS, Wojciech Wiewiórowski.

Microsoft said it was “committed” to helping customers comply with the GDPR and other applicable laws.

“We are in discussions with our customers in the EU institutions and will soon announce contractual changes that will address concerns such as those raised by the EDPS,” the company said in a statement.

Matthew Broersma

Matt Broersma is a long standing tech freelance, who has worked for Ziff-Davis, ZDnet and other leading publications

Recent Posts

Officials Blame Turkey For Cyber-Attacks

Turkish government likely to be behind ongoing campaign of DNS hijacking incidents targeting rival countries, Western officials say

3 hours ago

Citrix Flaw Opens Networks To Ransomware Risk

Hackers attempt to exploit critical flaw in Citrix ADC and Citrix Gateway to install 'Ragnarok' ransomware on vulnerable networks

4 hours ago

Google Takes Dataset Search Out Of Beta

Custom-built framework aims to help researchers find the vast amount of data published online by labs, governments, universities and other…

5 hours ago

ICO Children’s Data Rules Meet With Divided Response

Upcoming regulations hailed as a pioneering step to protect children's data online, but some fear they could favour big tech…

6 hours ago

Government Set To Approve Restricted 5G Role For Huawei

Government decision on Huawei set for Tuesday, as US secretary of state warns Chinese-made 5G equipment puts UK sovereignty at…

7 hours ago

UK ‘Will Not Implement EU Copyright Directive’

Controversial provisions that Google argued would ban memes and GIFs will not be brought into UK law, as country departs…

9 hours ago