View all newsletters
Receive our newsletter - data, insights and analysis delivered to you
  1. Policy
October 21, 2019updated 22 Oct 2019 10:17am

Bombshell EU Report Warns Microsoft Likely Not GDPR-Compliant

"Hague Forum" aims to "take back control over IT services"

By CBR Staff Writer

The European Data Protection Supervisor (EDPS) today warned that Microsoft’s products as used by European organisation may not comply with GDPR, in a bombshell report.

The initial findings, published today, follow an investigation that the EDPS opened in April and raise “serious concerns over compliance” and “the role of Microsoft as a processor for EU institutions”.

The company’s software products as used by EU institutions appear to be a data protection risk, it claimed, as European member states and institutions launch a drive to wean themselves off the US firm’s software.

DigiCert CEO“Preliminary results reveal serious concerns over the compliance of the relevant contractual terms with data protection rules and the role of Microsoft as a processor for EU institutions using its products and services,” the EDPS said, in a finding likely to raise serious alarm bells in Redmond.

“Public authorities in the Member States face similar issues.”

It is urging stronger efforts to rewrite contracts with Microsoft and other major software providers.

“Amended contractual terms, technical safeguards and settings agreed between the Dutch Ministry of Justice and Security and Microsoft to better protect the rights of individualsshows that there is significant scope for improvement in the development of contracts between public administration and the most powerful software developers and online service outsourcers.

Content from our partners
GenAI cybersecurity: "A super-human analyst, with a brain the size of a planet."
Cloud, AI, and cyber security – highlights from DTX Manchester
Infosecurity Europe 2024: Rethink the power of infosecurity

“The EDPS is of the opinion that such solutions should be extended not only to all public and private bodies in the EU, which is our short-term expectation, but also to individuals”, the Assistant EDPS said today.

European Data Protection Supervisor: “Take Back Control”

Together with the Dutch Ministry of Justice and Security, in August the EDPS organised the first EU software and cloud suppliers customer council; a meeting that led to creation of the so-called “Hague Forum”.

This “aims to discuss both how to take back control over the IT services and products offered by the big IT service providers and the need to collectively create standard contracts instead of accepting the terms and conditions as they are written by these providers,”, the EDPS said.

“The EDPS encourages all concerned parties to join the Forum and help us to set fair contractual terms for public administration” it added.

The publication comes a month after Germany’s interior minister warned in a sharply worded statement.that the use of international IT providers comes with dependency issues, troublesome user data collection (telemetry), and “internationally heterogeneous legislation” .

Horst Seehofer said his ministry – “in close coordination with the EU” – would be looking to “reduce dependencies on individual IT providers, as well as review alternative programs to replace specific software” and ramping up efforts to build out open source alternatives.

Read this: Is the German Government Set to Kiss Goodbye to Microsoft, Amid “Digital Sovereignty” Fears?


Websites in our network
Select and enter your corporate email address Tech Monitor's research, insight and analysis examines the frontiers of digital transformation to help tech leaders navigate the future. Our Changelog newsletter delivers our best work to your inbox every week.
  • CIO
  • CTO
  • CISO
  • CSO
  • CFO
  • CDO
  • CEO
  • Architect Founder
  • MD
  • Director
  • Manager
  • Other
Visit our privacy policy for more information about our services, how Progressive Media Investments may use, process and share your personal data, including information on your rights in respect of your personal data and how you can unsubscribe from future marketing communications. Our services are intended for corporate subscribers and you warrant that the email address submitted is your corporate email address.