Microsoft Updates Cloud Agreements Following EU Probe

Microsoft is planning to roll out changes to its Online Service Terms (OST) for all its commercial cloud customers worldwide after EU regulators found “serious concerns” with the company’s compliance with European data protection law.

The European Data Protection Supervisor (EDPS) said in November there was “significant scope for improvement” in contracts between public administrations and software and online services providers.

It cited risk assessments carried out by the Dutch Ministry of Justice and Security as indicating that similar issues are faced by EU member states’ public authorities, as well as agencies such as the European Commission that do business with Microsoft.

The EDPS launched its investigation in April and the probe is ongoing.

Data control

Microsoft is classed as a “data processor” under the EU’s GDPR data protection rules, which came into force last year, insomuch as it handles large amounts of citizens’ data on behalf of public authorities.

But as “data controllers”, those public agencies have primary responsibility for the data and are obliged to ensure the compliance of their arrangements with processors.

Microsoft said its new terms will clarify that Microsoft assumes the role of data controller, rather than data processor, when it processes data for certain administrative and operational purposes, such as account management, financial reporting and complying with its legal obligations.

The company said increasing Microsoft’s responsibility for this subset of the data would provide more “clarity” for customers about how it uses the data and about its commitment to data protection compliance.


“Meanwhile, Microsoft will remain the data processor for providing the services, improving and addressing bugs or other issues related to the service, ensuring security of the services, and keeping the services up to date,” said Microsoft chief privacy officer Julie Brill in a Monday blog post.

The new terms reflect contractual changes developed with the Dutch Ministry of Justice earlier this year.

They are set to roll out to all commercial customers, including public and private organisations and both large and small companies, at the beginning of 2020.

The rules apply to Microsoft cloud-based services such as Office 365 ProPlus and Office 365.

Matthew Broersma

Matt Broersma is a long standing tech freelance, who has worked for Ziff-Davis, ZDnet and other leading publications

Recent Posts

Cryptocurrency Warning From Bank Of England Governor

Blunt message from Bank of England governor Andrew Bailey, warning people only to buy cryptocurrency…

19 hours ago

Jeff Bezos Offloads $2 Billion In Amazon Shares

Needs some spending money...Amazon CEO Jeff Bezos has this week sold nearly $2 billion worth…

20 hours ago

Twitter Suspends Account Sharing Trump Posts

Shutdown again. An account has been suspended by Twitter for sharing the posts from Donald…

21 hours ago

IBM Claims Breakthrough With 2 Nanometer Chip

Research boffins at IBM are touting a major leap forward in performance and energy efficiency…

2 days ago

Twitter Now Prompts Users To Revise ‘Harmful Replies’

Trolls beware. Twitter releases feature that will deliver a 'reconsider prompt' for users, if they…

2 days ago

Old Routers Pose Security Risk, Warns Which?

Elderly routers that can no longer receive firmware updates posed security risk to millions of…

2 days ago