Microsoft overhauls its privacy policy amid EU concerns

Data processing responsibilities will be clearly defined on all commercial cloud contracts as of early 2020

Microsoft has said it will be updating its privacy provisions for commercial cloud contracts after a report from EU regulators last month questioned the company's ability to comply with data laws.

The European Data Protection Supervisor (EDPS), an independent authority that oversees the application of GDPR, launched an investigation in April to assess whether the company's contracts with EU institutions violated the rules.

The results of that investigation, released in October, raised "serious concerns" about Microsoft's ability to provide appropriate safeguards for the processing of data done on behalf of the EU bodies it services.

In a statement on its website on Monday, Microsoft said: "We are announcing today we will increase our data protection responsibilities for a subset of processing that Microsoft engages in when we provide enterprise services".

Last year the company worked alongside the Dutch Ministry of Justice and Security to amend contractual terms of a services agreement after authorities raised similar concerns about the lack of technical safeguards for the processing of data.

Advertisement
Advertisement - Article continues below
Advertisement - Article continues below

Monday's privacy policy update is designed to extend those amendments across all commercial cloud contracts globally for both the private and public sector, the company explained.

"We will clarify that Microsoft assumes the role of data controller when we process data for specified administrative and operational purposes incident to providing the cloud services covered by this contractual framework, such as Azure, Office 365, Dynamics and Intune," the company said.

"This subset of data processing serves administrative or operational purposes such as account management; financial reporting; combatting cyberattacks on any Microsoft product or service; and complying with our legal obligations.

"The change to assert Microsoft as the controller for this specific set of data uses will serve our customers by providing further clarity about how we use data, and about our commitment to be accountable under GDPR to ensure that the data is handled in a compliant way."

Microsoft will remain the data processor when providing its services, fixing bugs, operating security services, and providing software updates, the statement added.

Advertisement - Article continues below

The policy overhaul comes just days after the company committed to applying the California Consumer Privacy Act to all US states once it comes into force in January 2020, although it has no legal obligation to do so.

The company expects the new policy terms to be applied to all commercial cloud contracts by the beginning of 2020.

  • privacy
  • General Data Protection Regulation (GDPR)
Featured Resources

Digitally perfecting the supply chain

How new technologies are being leveraged to transform the manufacturing supply chain

Download now

Three keys to maximise application migration and modernisation success

Harness the benefits that modernised applications can offer

Download now

Your enterprise cloud solutions guide

Infrastructure designed to meet your company's IT needs for next-generation cloud applications

Download now

The 3 approaches of Breach and Attack Simulation technologies

A guide to the nuances of BAS, helping you stay one step ahead of cyber criminals

Download now
Advertisement

Most Popular

Visit/operating-systems/25802/17-windows-10-problems-and-how-to-fix-them
operating systems

17 Windows 10 problems - and how to fix them

13 Jan 2020
Visit/microsoft-windows/32066/what-to-do-if-youre-still-running-windows-7
Microsoft Windows

What to do if you're still running Windows 7

14 Jan 2020
Visit/web-browser/30394/what-is-http-error-503-and-how-do-you-fix-it
web browser

What is HTTP error 503 and how do you fix it?

7 Jan 2020
Visit/policy-legislation/general-data-protection-regulation-gdpr/354577/data-protection-fines-hit-ps100m
General Data Protection Regulation (GDPR)

Data protection fines hit £100m during first 18 months of GDPR

20 Jan 2020