Microsoft Updates Cloud Agreements Following EU Probe

Microsoft is planning to roll out changes to its Online Service Terms (OST) for all its commercial cloud customers worldwide after EU regulators found “serious concerns” with the company’s compliance with European data protection law.

The European Data Protection Supervisor (EDPS) said in November there was “significant scope for improvement” in contracts between public administrations and software and online services providers.

It cited risk assessments carried out by the Dutch Ministry of Justice and Security as indicating that similar issues are faced by EU member states’ public authorities, as well as agencies such as the European Commission that do business with Microsoft.

The EDPS launched its investigation in April and the probe is ongoing.

Data control

Microsoft is classed as a “data processor” under the EU’s GDPR data protection rules, which came into force last year, insomuch as it handles large amounts of citizens’ data on behalf of public authorities.

But as “data controllers”, those public agencies have primary responsibility for the data and are obliged to ensure the compliance of their arrangements with processors.

Microsoft said its new terms will clarify that Microsoft assumes the role of data controller, rather than data processor, when it processes data for certain administrative and operational purposes, such as account management, financial reporting and complying with its legal obligations.

The company said increasing Microsoft’s responsibility for this subset of the data would provide more “clarity” for customers about how it uses the data and about its commitment to data protection compliance.


“Meanwhile, Microsoft will remain the data processor for providing the services, improving and addressing bugs or other issues related to the service, ensuring security of the services, and keeping the services up to date,” said Microsoft chief privacy officer Julie Brill in a Monday blog post.

The new terms reflect contractual changes developed with the Dutch Ministry of Justice earlier this year.

They are set to roll out to all commercial customers, including public and private organisations and both large and small companies, at the beginning of 2020.

The rules apply to Microsoft cloud-based services such as Office 365 ProPlus and Office 365.

Matthew Broersma

Matt Broersma is a long standing tech freelance, who has worked for Ziff-Davis, ZDnet and other leading publications

Recent Posts

Amazon Alexa Recovers After Morning Outage

Alexa wake up alarm didn't work this morning? Smart lights didn't turn on? Outage of…

2 days ago

UK, Australia Reach Cyber, Critical Tech Agreement

Australia says it will 'fight back' against nation state cyberattacks, after agreements with the UK…

2 days ago

Italian Regulator Recalculates Apple, Amazon Fines

Italian regulator admits it has redetermined the fines against Apple and Amazon, over the sale…

3 days ago

Red Cross ‘Appalled’ As Hackers Steal Humanitarian Data Of 515,000 People

A new low. International Committee of the Red Cross shuts down reunification system, after hackers…

3 days ago

Russia Proposes Ban On Cryptocurrencies, Crypto Mining

Russia's central bank has this week proposed the banning on the use and mining of…

3 days ago