Microsoft updates cloud contract privacy amid EDPS probe

By Kyle Brasseur2019-11-18T21:11:00+00:00

No comments

Microsoft on Monday announced updates to the privacy provisions of its commercial cloud contracts designed to address concerns raised by an investigation from the European Union’s top data watchdog for institutions.

In October, the European Data Protection Supervisor provided an update on a probe it launched into Microsoft in April, saying preliminary findings revealed “serious concerns over the compliance of the relevant contractual terms with data protection rules and the role of Microsoft as a processor for EU institutions using its products and services.” EU institutions rely on Microsoft services and products to carry out their daily activities.

“When using the products and services of IT service providers, EU institutions outsource the processing of large amounts of personal data. Nevertheless, they remain accountable for any processing activities carried out on their behalf,” the EDPS wrote. “… The same applies to all controllers operating within the [European Economic Area].”

The focus of the EDPS investigation is to assess whether contractual agreements between Microsoft and EU institutions are fully compliant with data protection rules. The probe was launched following the results of a Data Protection Impact Assessment performed by the Dutch Ministry of Justice and Security and shared in November 2018.

“Our updated [Online Services Terms] will reflect contractual changes we have developed with one of our public sector customers, the Dutch Ministry of Justice and Security,” Julie Brill, chief privacy officer at Microsoft, wrote in a blog post. “The changes we are making will provide more transparency for our customers over data processing in the Microsoft cloud.”

As part of the update, Microsoft will clarify it “assumes the role of data controller” when it processes “data for specified administrative and operational purposes” under the cloud services covered by its contracts. “The change to assert Microsoft as the controller for this specific set of data uses will serve our customers by providing further clarity about how we use data, and about our commitment to be accountable under [the General Data Protection Regulation] to ensure that the data is handled in a compliant way,” writes Brill.

Microsoft expects its updated contract provisions to be available to enterprise customers globally at the beginning of 2020.

Good timing

Microsoft’s changes to its cloud contracts come a month after the technology giant was awarded a $10 billion contract by the U.S. Department of Defense to modernize the Pentagon’s technology through cloud services. The 10-year contract for the Joint Enterprise Defense Infrastructure (JEDI) “will provide enterprise level, commercial Infrastructure as a Service (IaaS) and Platform as a Service (PaaS) to support Department of Defense business and mission operations,” according to the DOD.

While the provisions of the GDPR do not apply to Washington D.C., Microsoft would be prudent to provide similar contractual terms given the expectation the United States will tackle privacy legislation similar to the European Union at the federal level within the 10-year lifespan of the contract.

Kyle BrasseurKyle Brasseur is Editor in Chief of Compliance Week. His background includes expertise in user personalization with ESPN.com.View full Profile

Topics

No comments

Interested in writing for CW?

Compliance Week accepts outside contributions from corporate chief compliance officers and other senior-level GRC practitioners. To learn more, contact the CW Editor.

Article
From sea to shining CCPA: Microsoft to extend privacy law across U.S.

2019-11-13T18:27:00Z By Kyle Brasseur

In a blog post this week, Microsoft announced its intention to extend the core rights of the upcoming California Consumer Privacy Act to its customers across the United States.
Article
Microsoft president: Tech companies must embrace privacy regs

2019-10-23T18:27:00Z By Neil Hodge

At a recent data privacy event, Microsoft’s president and chief legal officer discussed the evolution of data protection rules and how new technology needs to better align with privacy regulation.
Article
Microsoft facing GDPR probe in Ireland

2019-08-28T15:57:00Z By Kyle Brasseur

The Dutch Data Protection Agency has referred Microsoft to its home EU regulator in Ireland regarding new privacy concerns with its Windows 10 operating system.

No comments yet

You're not signed in.

Only registered users can comment on this article.

More from Data Privacy

Premium
EDPB decision sparks ‘consent or pay’ debate for Big Tech firms

2024-04-19T19:16:00Z By Neil Hodge

Big Tech firms might need to rethink their plans to charge users for not selling their personal data for behavioral advertising following a decision by Europe’s primary data regulator.
News Brief
CPPA warns of collecting too much data in first enforcement advisory

2024-04-05T19:40:00Z By Adrianne Appel

The California Privacy Protection Agency warned businesses to stop asking for excessive information from consumers who have requested to opt out of having their data collected or who are otherwise exercising their privacy rights under the California Consumer Privacy Act.
News Brief
DOT launches first data privacy review of 10 biggest airlines

2024-03-22T16:27:00Z By Jeff Dale

The U.S. Department of Transportation is looking to thwart the nation’s 10 largest airlines from monetizing passenger data or selling it to third parties.