Microsoft on Monday announced updates to the privacy provisions of its commercial cloud contracts designed to address concerns raised by an investigation from the European Union’s top data watchdog for institutions.
In October, the European Data Protection Supervisor provided an update on a probe it launched into Microsoft in April, saying preliminary findings revealed “serious concerns over the compliance of the relevant contractual terms with data protection rules and the role of Microsoft as a processor for EU institutions using its products and services.” EU institutions rely on Microsoft services and products to carry out their daily activities.
“When using the products and services of IT service providers, EU institutions outsource the processing of large amounts of personal data. Nevertheless, they remain accountable for any processing activities carried out on their behalf,” the EDPS wrote. “… The same applies to all controllers operating within the [European Economic Area].”
The focus of the EDPS investigation is to assess whether contractual agreements between Microsoft and EU institutions are fully compliant with data protection rules. The probe was launched following the results of a Data Protection Impact Assessment performed by the Dutch Ministry of Justice and Security and shared in November 2018.
“Our updated [Online Services Terms] will reflect contractual changes we have developed with one of our public sector customers, the Dutch Ministry of Justice and Security,” Julie Brill, chief privacy officer at Microsoft, wrote in a blog post. “The changes we are making will provide more transparency for our customers over data processing in the Microsoft cloud.”
As part of the update, Microsoft will clarify it “assumes the role of data controller” when it processes “data for specified administrative and operational purposes” under the cloud services covered by its contracts. “The change to assert Microsoft as the controller for this specific set of data uses will serve our customers by providing further clarity about how we use data, and about our commitment to be accountable under [the General Data Protection Regulation] to ensure that the data is handled in a compliant way,” writes Brill.
Microsoft expects its updated contract provisions to be available to enterprise customers globally at the beginning of 2020.
Microsoft’s changes to its cloud contracts come a month after the technology giant was awarded a $10 billion contract by the U.S. Department of Defense to modernize the Pentagon’s technology through cloud services. The 10-year contract for the Joint Enterprise Defense Infrastructure (JEDI) “will provide enterprise level, commercial Infrastructure as a Service (IaaS) and Platform as a Service (PaaS) to support Department of Defense business and mission operations,” according to the DOD.
While the provisions of the GDPR do not apply to Washington D.C., Microsoft would be prudent to provide similar contractual terms given the expectation the United States will tackle privacy legislation similar to the European Union at the federal level within the 10-year lifespan of the contract.