Microsoft has updated its Online Services Terms (OST) for commercial cloud contracts. These now acknowledge that Microsoft is a data controller under GDPR when providing the services; an admission that imposes strict privacy requirements.
The change comes amid concerted pressure from European authorities, who have expressed growing concern about the GDPR compliance of Microsoft’s user data collection (or “telemetry”) across Windows 10, Office 365 and other services.
The update follows a report by the European Data Protection Supervisor (EDPS) on October 21, 2019, that raised “serious concerns over compliance” and “the role of Microsoft as a processor for EU institutions”. That report noted “there is significant scope for improvement in the development of contracts between public administration and the most powerful software developers and online service outsourcers.”
It had come amid debate over who is the data controller when certain Microsoft products serve European organisations, then “phone home” with telemetry data.
GDPR sets specific obligations depending on whether businesses are a data controller, joint controller or processor. Data controllers shoulder the highest level of responsibility for what happens with personal data. Processors simply act to handle the data on a data controller’s instruction.
Julie Brill, Microsoft’s chief privacy officer, said: “We will clarify that Microsoft assumes the role of data controller when we process data for specified administrative and operational purposes incident to providing the cloud services covered by this contractual framework, such as Azure, Office 365, Dynamics and Intune.””
Microsoft Cloud Terms Change Reflects Privacy Pressure
She added: “This subset of data processing serves administrative or operational purposes such as account management; financial reporting; combatting cyberattacks on any Microsoft product or service; and complying with our legal obligations.”
The updated OST reflects contractual changes Microsoft developed with the Dutch Ministry of Justice, she added, saying the new contract provisions will be available to all public sector and enterprise customers globally at the beginning of 2020.
Brill said in a blog today: “Our updated OST will reflect contractual changes we have developed with one of our public sector customers, the Dutch Ministry of Justice and Security (Dutch MoJ). The changes we are making will provide more transparency for our customers over data processing in the Microsoft cloud”.
Microsoft is currently the only major cloud provider to offer such terms in the European Economic Area (EEA) and beyond, she added.
What About Windows 10?
The post does not answer a number of questions raised by Dutch authorities about Windows 10 telemetry.
Given liberal permission to phone home, a computer running Windows 10 will fire information about up to 1,200 “events” on the computer, the software, and its user’s behaviour back to Microsoft’s central (US-based) Cosmos database.
At any point, approximately 10 teams of engineers will have access to the data harvested, and this collection of telemetry data is dynamic: Microsoft engineers can add new types of events to the telemetry stream without prior notice to the users.
(Microsoft Office 365 telemetry meanwhile contains between 23 and 25 thousand events, in the hands of 20-30 engineering teams, Dutch analysis shows.)
Windows 10 is not covered by the updated Online Service Terms.
Microsoft: “We Remain Committed to Listening”
Microsoft already considers itself to be the sole data controller for all processing of personal data through and about Windows 10.
But as Dutch officials noted in a July report: “Microsoft has not concluded a data processing agreement with its Enterprise customers for Windows 10. Instead, the standard consumer-oriented privacy terms and conditions of Microsoft apply.”
They added: “As a sole data controller, because Microsoft stores telemetry data on the device and makes the software send these data to its servers in the USA, based on the Dutch Telecommunications Act, Microsoft would need to obtain specific and informed consent from the employees before processing their personal data. Other legal grounds are not available. Opt-outs cannot be qualified as consent, nor from the employees, nor from the administrators. Employees are in a dependent position from their employer and cannot refuse to use the Windows 10 operating system.”
Microsoft’s Brill added today: “Before and after GDPR became law in the EU, Microsoft has taken steps to ensure that we protect the privacy of all who use our products and services. We continue to work on behalf of customers to remain aligned with the evolving legal interpretations of GDPR. For example, customer feedback from the Dutch MoJ and others has led to the global roll out of a number of new privacy tools across our major services, specific changes to Office 365 ProPlus as well as increased transparency regarding use of diagnostic data.
“We remain committed to listening closely to our customers’ needs and concerns regarding privacy.”