The European Data Protection Supervisor (EDPS) today warned that Microsoft’s products as used by European organisation may not comply with GDPR, in a bombshell report.
The initial findings, published today, follow an investigation that the EDPS opened in April and raise “serious concerns over compliance” and “the role of Microsoft as a processor for EU institutions”.
The company’s software products as used by EU institutions appear to be a data protection risk, it claimed, as European member states and institutions launch a drive to wean themselves off the US firm’s software.
“Preliminary results reveal serious concerns over the compliance of the relevant contractual terms with data protection rules and the role of Microsoft as a processor for EU institutions using its products and services,” the EDPS said, in a finding likely to raise serious alarm bells in Redmond.
“Public authorities in the Member States face similar issues.”
It is urging stronger efforts to rewrite contracts with Microsoft and other major software providers.
“Amended contractual terms, technical safeguards and settings agreed between the Dutch Ministry of Justice and Security and Microsoft to better protect the rights of individualsshows that there is significant scope for improvement in the development of contracts between public administration and the most powerful software developers and online service outsourcers.
“The EDPS is of the opinion that such solutions should be extended not only to all public and private bodies in the EU, which is our short-term expectation, but also to individuals”, the Assistant EDPS said today.
European Data Protection Supervisor: “Take Back Control”
Together with the Dutch Ministry of Justice and Security, in August the EDPS organised the first EU software and cloud suppliers customer council; a meeting that led to creation of the so-called “Hague Forum”.
This “aims to discuss both how to take back control over the IT services and products offered by the big IT service providers and the need to collectively create standard contracts instead of accepting the terms and conditions as they are written by these providers,”, the EDPS said.
“The EDPS encourages all concerned parties to join the Forum and help us to set fair contractual terms for public administration” it added.
The publication comes a month after Germany’s interior minister warnedthat the use of international IT providers comes with dependency issues, troublesome user data collection (telemetry), and “internationally heterogeneous legislation” .
Horst Seehofer said his ministry – “in close coordination with the EU” – would be looking to “reduce dependencies on individual IT providers, as well as review alternative programs to replace specific software” and ramping up efforts to build out open source alternatives.
Read this: Is the German Government Set to Kiss Goodbye to Microsoft, Amid “Digital Sovereignty” Fears?