EU Has “Concerns” About Microsoft Data Compliance

Posted on October 21, 2019 by Paul Thurrott in Microsoft with 5 Comments

With rival U.S. tech firms falling one-by-one to increased antitrust scrutiny at home and in the EU, Microsoft has remained largely unscathed. But a preliminary report by the European Data Protection Supervisor, an EU-based data watchdog, suggests that it could still run into some legal issues in Europe.

“Though the investigation is still ongoing, preliminary results reveal serious concerns over the compliance of the relevant contractual terms with data protection rules and the role of Microsoft as a processor for EU institutions using its products and services,” an EDPS statement issued Monday reads.

The EDPS launched a preliminary investigation into the EU’s use of Microsoft products and services in April to determine whether its contracts with various EU institutions comply with the block’s data protection rules, in particular, the General Data Protection Regulation (GDPR). Today’s statement suggests that they are not, though there are no further details.

“When relying on third parties to provide services, the EU institutions remain accountable for any data processing carried out on their behalf,” the EDPS’ Wojciech Wiewiorowski said back in April. “They also have a duty to ensure that any contractual arrangements respect the new rules and to identify and mitigate any risks.”

Microsoft has been assisting the investigation, and it has made changes in the past, as with a 2018 Dutch case concerning Office 365 ProPlus, to comply with EU data protection rules.

Join the discussion!


Don't have a login but want to join the conversation? Become a Thurrott Premium or Basic User to participate

Comments (5)

5 responses to “EU Has “Concerns” About Microsoft Data Compliance”

  1. Daekar

    I think this will largely be a non issue. Even if there are problems found (wouldn't surprise me if there were), Microsoft will move quickly to address them unless the EU starts demanding out of character things like that all world data be stored in its territory, or something equally absurd. Hopefully they won't prove me wrong.

    • wright_is

      In reply to Daekar:

      Not absurd, but, for example, transparency on telemetry and opt-in as default is the current legal requirement. Currently Windows 10 and Office offer no transparency and only opt-down to a minimum amount of telemetry, no opt-out at all, let alone being opted-out as standard and allowing the user to opt-in.

      Then there is the problem with real data stored in the MS cloud (see my comment on the Premium side).

  2. wright_is

    One of the problems is the lack of transparency on the data they collect, in Windows and in Office (although in Office 365, you can now turn most of the data gathering off).

    More importantly is the sentence, "the EU institutions remian accountable for any data processing carried out on their behalf," that means that they are responsible for the data, even though Microsoft stores it. That means PII has to remain within the EU (and tax data within the country of origin, unless you get an exemption certificate) or it has to be stored in countries with an equivalent level of protection to the GDPR. Given the secret FISA courts, National Security Letters etc. that the US Government can place on companies with (even) a presence in the USA, that makes them storing the data very dodgy.

    If an EU government agency, an EU company (or subsidiary) or an EU citizen stores data on the Microsoft cloud and Microsoft hands the data over to the US Government under FISA/NSL or an American search warrant (only EU search warrants are valid for EU data), the owner of the data (the EU agency, company) is still responsible for the data breach and can be fined a minimum of 20M€ or up to 4% of international turnover, that is regardless of whether Microsoft themselves would also be prosecuted in the EU for handing the data over in the USA.

  3. warren

    Even with the best of intentions, full and proper GDPR compliance is very difficult for large companies. Writing code that runs afoul of the various regulations is easy to do, but hard to detect. You have to give training to every developer, every product manager, and every QA tester... and those individuals can't be lazy or forgetful about it.

    So yeah, they'll find problems at Microsoft. They're an easy target given the popularity of Azure. But, the EDPS would probably find problems at almost any company they investigate.

    • hrlngrv

      In reply to warren:

      FWLIW, I get comprehensive databases of US workers compensation and healthcare insurance for various clients over the course of the year, and more than a few are stupid enough not to eliminate Name, DOB and SSN fields, which I believe has been required for almost 2 decades at this point.

      Point: there are a lot of careless/clueless people with way too much access to sensitive personal data.

Leave a Reply