Microsoft had carte blanche to unilaterally change the rules on how it collected data on 45,000+ European officials, the EU’s data protection watchdog said today, with the contractual remedies in place for institutions that didn’t like the changes essentially “meaningless in practice.”
The comments came in a biting new report by the European Data Protection Supervisor (EDPS) into an “Inter-Institutional Licensing Agreement” (ILA) signed by the European Commission with Microsoft in 2018, and since updated under pressure from concerned EU organisations.
The EDPS warned EU institutions to “carefully consider any purchases of Microsoft products and services… until after they have analysed and implemented the recommendations of the EDPS”, saying buyers could have little to no control over where data was processed, how, and by whom.
In an occasionally eye-popping report the watchdog noted that:
The agreement had granted Microsoft “far-reaching rights of unilateral amendment, despite express provision to the contrary in the negotiated documents”,
The deal left Microsoft able to “disclose personal data (including Customer Data, Administrator Data, Payment Data and Support Data) to third parties, including law enforcement or other government agencies”
The sets of standard Microsoft terms that were incorporated into the EU’s umbrella agreement are regularly changed by Microsoft, it noted, with new versions published on its volume licensing website. It was “possible for Microsoft to make far-reaching changes to the data protection terms of the ILA
by changing a set of standard terms incorporated into it.”
EU Data Protection Microsoft Report: “Meaningless” Remedy
The standard agreement also let Microsoft engage new data sub-processors without explicit sign-off by those whose data they were processing.
“If EU institutions did not approve of a new sub-processor, their only recourse under the negotiated terms of the ILA was to terminate their subscription to the affected online service. If the affected online service was part of a suite, the EU institutions’ only recourse was to terminate their subscription for the entire suite… This contractual remedy risked being meaningless in practice.”
In short, it concluded, EU institutions had few guarantees that they were in a position to defend the “privileges and immunities granted to them under the Treaty on the Functioning of the European Union (‘TFEU’), including — perhaps startlingly to many — ensuring that Microsoft would only disclose any personal data it harvested in line with the restrictions of EU law.
(Shortly: that as the contract had stood, European users were not in a position to make sure Microsoft was adhering to European law).
The EDPS concluded bluntly: “In the medium term, if EU institutions wished to maintain the protections afforded by Protocol No 7 to the TFEU and Regulation (EU) 2018/1725 against unauthorised disclosure, they should seriously consider:
“First, ensuring that data processed on their behalf is located in the EU/EEA, and
Second, only using service providers that were not subject to conflicting third-country laws with extra-territorial scope
Microsoft says it is listening to regulators and customers and is willing to adjust its rules as ” legal interpretations of European privacy laws evolve. This includes alignment with the recent law designed for EU institutions.”
The EDPS noted that despite scepticism from many European organisations, it had, ultimately, won positive changes.
The watchdog added: “We would therefore encourage controllers not to be disheartened at the prospect of negotiating instructions with a processor that they consider necessary to protect the rights and freedoms of data subjects; even when faced with a business partner of considerable heft.”