View all newsletters
Receive our newsletter - data, insights and analysis delivered to you
  1. Policy
July 2, 2020updated 03 Jul 2020 10:33am

European Organisations Should “Carefully Consider” Microsoft Purchases: Data Protection Watchdog

The tech heavyweight had "far-reaching rights of unilateral amendment, despite express provision to the contrary in the negotiated documents"

By CBR Staff Writer

Microsoft had carte blanche to unilaterally change the rules on how it collected data on 45,000+ European officials, the EU’s data protection watchdog said today, with the contractual remedies in place for institutions that didn’t like the changes essentially “meaningless in practice.”

The comments came in a biting new report by the European Data Protection Supervisor (EDPS) into an “Inter-Institutional Licensing Agreement” (ILA) signed by the European Commission with Microsoft in 2018, and since updated under pressure from concerned EU organisations.

See also: Microsoft Cloud Terms Updated Under EU Pressure

The EDPS warned EU institutions to “carefully consider any purchases of Microsoft products and services… until after they have analysed and implemented the recommendations of the EDPS”, saying buyers could have little to no control over where data was processed, how, and by whom.

In an occasionally eye-popping report the watchdog noted that:

  • The agreement had granted Microsoft “far-reaching rights of unilateral amendment, despite express provision to the contrary in the negotiated documents”,
  • The contract’s provisions and Microsoft’s privacy policy “did not even allow EU institutions to identify the location of all the different types of personal data processed under them”,
  • The deal left Microsoft able to “disclose personal data (including Customer Data, Administrator Data, Payment Data and Support Data) to third parties, including law enforcement or other government agencies”

The sets of standard Microsoft terms that were incorporated into the EU’s umbrella agreement are regularly changed by Microsoft, it noted, with new versions published on its volume licensing website. It was “possible for Microsoft to make far-reaching changes to the data protection terms of the ILA
by changing a set of standard terms incorporated into it.”

EU Data Protection Microsoft Report: “Meaningless” Remedy

The standard agreement also let Microsoft engage new data sub-processors without explicit sign-off by those whose data they were processing.

“If EU institutions did not approve of a new sub-processor, their only recourse under the negotiated terms of the ILA was to terminate their subscription to the affected online service. If the affected online service was part of a suite, the EU institutions’ only recourse was to terminate their subscription for the entire suite… This contractual remedy risked being meaningless in practice.”

Content from our partners
Scan and deliver
GenAI cybersecurity: "A super-human analyst, with a brain the size of a planet."
Cloud, AI, and cyber security – highlights from DTX Manchester

In short, it concluded, EU institutions had few guarantees that they were in a position to defend the “privileges and immunities granted to them under the Treaty on the Functioning of the European Union (‘TFEU’), including — perhaps startlingly to many — ensuring that Microsoft would only disclose any personal data it harvested in line with the restrictions of EU law.

(Shortly: that as the contract had stood, European users were not in a position to make sure Microsoft was adhering to European law).

The EDPS concluded bluntly: “In the medium term, if EU institutions wished to maintain the protections afforded by Protocol No 7 to the TFEU and Regulation (EU) 2018/1725 against unauthorised disclosure, they should seriously consider:

  • “First, ensuring that data processed on their behalf is located in the EU/EEA, and
  • Second, only using service providers that were not subject to conflicting third-country laws with extra-territorial scope

Microsoft says it is listening to regulators and customers and is willing to adjust its rules as ” legal interpretations of European privacy laws evolve. This includes alignment with the recent law designed for EU institutions.”

The EDPS noted that despite scepticism from many European organisations, it had, ultimately, won positive changes.

The watchdog added: “We would therefore encourage controllers not to be disheartened at the prospect of negotiating instructions with a processor that they consider necessary to protect the rights and freedoms of data subjects; even when faced with a business partner of considerable heft.”

See also: European Digital Strategy and the Global Race for Digital Sovereignty

Websites in our network
Select and enter your corporate email address Tech Monitor's research, insight and analysis examines the frontiers of digital transformation to help tech leaders navigate the future. Our Changelog newsletter delivers our best work to your inbox every week.
  • CIO
  • CTO
  • CISO
  • CSO
  • CFO
  • CDO
  • CEO
  • Architect Founder
  • MD
  • Director
  • Manager
  • Other
Visit our privacy policy for more information about our services, how Progressive Media Investments may use, process and share your personal data, including information on your rights in respect of your personal data and how you can unsubscribe from future marketing communications. Our services are intended for corporate subscribers and you warrant that the email address submitted is your corporate email address.