EU Has “Concerns” About Microsoft Data Compliance

With rival U.S. tech firms falling one-by-one to increased antitrust scrutiny at home and in the EU, Microsoft has remained largely unscathed. But a preliminary report by the European Data Protection Supervisor, an EU-based data watchdog, suggests that it could still run into some legal issues in Europe.

“Though the investigation is still ongoing, preliminary results reveal serious concerns over the compliance of the relevant contractual terms with data protection rules and the role of Microsoft as a processor for EU institutions using its products and services,” an EDPS statement issued Monday reads.

Windows Intelligence In Your Inbox

Sign up for our new free newsletter to get three time-saving tips each Friday — and get free copies of Paul Thurrott's Windows 11 and Windows 10 Field Guides (normally $9.99) as a special welcome gift!

"*" indicates required fields

This field is for validation purposes and should be left unchanged.

The EDPS launched a preliminary investigation into the EU’s use of Microsoft products and services in April to determine whether its contracts with various EU institutions comply with the block’s data protection rules, in particular, the General Data Protection Regulation (GDPR). Today’s statement suggests that they are not, though there are no further details.

“When relying on third parties to provide services, the EU institutions remain accountable for any data processing carried out on their behalf,” the EDPS’ Wojciech Wiewiorowski said back in April. “They also have a duty to ensure that any contractual arrangements respect the new rules and to identify and mitigate any risks.”

Microsoft has been assisting the investigation, and it has made changes in the past, as with a 2018 Dutch case concerning Office 365 ProPlus, to comply with EU data protection rules.

Share post

Please check our Community Guidelines before commenting

Conversation 5 comments

  • Daekar

    21 October, 2019 - 8:51 am

    <p>I think this will largely be a non issue. Even if there are problems found (wouldn't surprise me if there were), Microsoft will move quickly to address them unless the EU starts demanding out of character things like that all world data be stored in its territory, or something equally absurd. Hopefully they won't prove me wrong.</p>

    • wright_is

      Premium Member
      21 October, 2019 - 9:07 am

      <blockquote><em><a href="#482331">In reply to Daekar:</a></em></blockquote><p>Not absurd, but, for example, transparency on telemetry and opt-in as default is the current legal requirement. Currently Windows 10 and Office offer no transparency and only opt-down to a minimum amount of telemetry, no opt-out at all, let alone being opted-out as standard and allowing the user to opt-in.</p><p>Then there is the problem with real data stored in the MS cloud (see my comment on the Premium side).</p>

  • wright_is

    Premium Member
    21 October, 2019 - 8:57 am

    <p>One of the problems is the lack of transparency on the data they collect, in Windows and in Office (although in Office 365, you can now turn most of the data gathering off).</p><p>More importantly is the sentence, "the EU institutions remian accountable for any data processing carried out on their behalf," that means that they are responsible for the data, even though Microsoft stores it. That means PII has to remain within the EU (and tax data within the country of origin, unless you get an exemption certificate) or it has to be stored in countries with an equivalent level of protection to the GDPR. Given the secret FISA courts, National Security Letters etc. that the US Government can place on companies with (even) a presence in the USA, that makes them storing the data very dodgy.</p><p>If an EU government agency, an EU company (or subsidiary) or an EU citizen stores data on the Microsoft cloud and Microsoft hands the data over to the US Government under FISA/NSL or an American search warrant (only EU search warrants are valid for EU data), the owner of the data (the EU agency, company) is still responsible for the data breach and can be fined a minimum of 20M€ or up to 4% of international turnover, that is regardless of whether Microsoft themselves would also be prosecuted in the EU for handing the data over in the USA.</p>

  • warren

    21 October, 2019 - 9:14 am

    <p>Even with the best of intentions, full and proper GDPR compliance is very difficult for large companies. Writing code that runs afoul of the various regulations is easy to do, but hard to detect. You have to give training to every developer, every product manager, and every QA tester… and those individuals can't be lazy or forgetful about it.</p><p><br></p><p>So yeah, they'll find problems at Microsoft. They're an easy target given the popularity of Azure. But, the EDPS would probably find problems at almost any company they investigate. </p>

    • hrlngrv

      Premium Member
      21 October, 2019 - 7:11 pm

      <p><a href="https://www.thurrott.com/microsoft/220213/eu-has-concerns-about-microsoft-data-compliance#482338&quot; target="_blank"><em>In reply to warren:</em></a></p><p>FWLIW, I get comprehensive databases of US workers compensation and healthcare insurance for various clients over the course of the year, and more than a few are stupid enough not to eliminate Name, DOB and SSN fields, which I believe has been required for almost 2 decades at this point.</p><p>Point: there are a lot of careless/clueless people with way too much access to sensitive personal data.</p>

Windows Intelligence In Your Inbox

Sign up for our new free newsletter to get three time-saving tips each Friday

"*" indicates required fields

This field is for validation purposes and should be left unchanged.

Thurrott © 2024 Thurrott LLC