EU institutions told to avoid Microsoft software after licence spat

EU data watchdog claims Microsoft's contract terms make it difficult to enforce GDPR

The EU’s data protection watchdog has recommended that public institutions hold back on purchasing any Microsoft software after identifying several major concerns with existing contractual terms.

Arrangements between Microsoft and EU institutions, spanning the work activities of around 45,000 officials, amounts to relinquishing their roles as data controllers over to the US software giant, the European Data Protection Supervisor (EDPS) has concluded.

This has been deemed “inappropriate”, according to a report, given the role of EU institutions as public service organisations. These institutions comprise bodies critical to the functioning of the EU, including the European Parliament, European Council, and the European Commission, as well as organisations like the European Central Bank, and the European Court of Justice.

Advertisement - Article continues below

Alarmingly, Microsoft can unilaterally define and change parameters of data processing carried out on behalf of the EU, with these terms risking undermining the rights of data subjects, the EDPS report found.

The EU, more significantly, has little capacity to ensure GDPR cannot be violated as there is little oversight over how the data is processed, where it’s processed, and by which sub-processors.

Once in an agreement with the company, EU bodies are unable to control a large portion of the data processed by Microsoft, and are unable to properly control what is transferred out of the EU.

Advertisement
Advertisement - Article continues below

There are no safeguards to ensure, for example, data protection standards are upheld if Microsoft transports EU officials’ data to a US-based server, with few guarantees to ensure Microsoft only discloses personal data as permitted by EU law.

EU institutions, as a result, should “carefully consider” any purchases of Microsoft products or services, or enrolling new users into already purchased software, until they have analysed and implemented the EDPS’ recommendations.

Advertisement - Article continues below

Bodies, furthermore, should properly embed data protection policies in each specific public information and communications technology procurement procedure, specifying the desired security and data protection measures.

“It is not appropriate that the data of people collected in the provision of services to public authorities is processed for their own purposes by these service providers,” said European Data Protection Supervisor Wojciech Wiewiórowski.

“By sharing technical expertise and by reinforcing regulatory cooperation through this Forum, we can also contribute to ensuring the same level of data protection safeguards and measures for all consumers and public authorities living and operating in the EEA”.

The EDPS has recommended that EU institutions act immediately to retain controllership over data processing activities. European organisations must also put in place a comprehensive controller-processer agreement, with more control over which sub-processors Microsoft use, as well as retaining a right to audit sub-processors.

Similar concerns, regarding a lack of oversight as to where Microsoft processes data, saw a ban on Office 365 products implemented across schools in a German region last year.

Advertisement - Article continues below

The German state of Hesse, and its data protection authority, imposed restrictions on the use of Microsoft software in July 2019 after ruling that Office 365 exposed information on students on teachers to potential access by US officials. This ban was subsequently lifted on a temporary basis.

The EDPS’ concerns are similar in nature to that case, with uncertainty over how the data is being processed arising as a result of Microsoft assuming the in-effect role of data controller due to the licences being struck.

Alarmingly, many of these concerns have arisen as a result of gaps in the contractual drafting, and are not by design, with Microsoft being granted far-reaching rights by default.

The report has recommended that each EU institution should act as the sole data controller with respect to the use of Microsoft software when performing tasks related to public service. Changes to the terms of previously-struck agreements, meanwhile, should only be changed by common agreement, and not unilaterally.

Advertisement - Article continues below

These recommendations sit alongside a vast number that the EDPS suggests should urgently be implemented before the EU procures any further products developed by Microsoft. They include the right to audit sub-processors, and provisions to grant the EU far more oversight over the international transfer of data.

EU institutions, finally, should be more open when it comes to sharing technical expertise with each other to ensure unlawful transfers of personal data to Microsoft are limited. Where EU bodies plan to use Microsoft products not already in use, they should also perform comprehensive data protection impact assessments prior to deployment.

IT Pro has asked Microsoft for its response to the decision.

Featured Resources

Staying ahead of the game in the world of data

Create successful marketing campaigns by understanding your customers better

Download now

Remote working 2020: Advantages and challenges

Discover how to overcome remote working challenges

Download now

Keep your data available with snapshot technology

Synology’s solution to your data protection problem

Download now

After the lockdown - reinventing the way your business works

Your guide to ensuring business continuity, no matter the crisis

Download now
Advertisement
Advertisement

Recommended

ICO to relax GDPR enforcement during coronavirus economic downturn
General Data Protection Regulation (GDPR)

ICO to relax GDPR enforcement during coronavirus economic downturn

16 Apr 2020
The NHS teams up with Apple and Google on coronavirus tracking app
privacy

The NHS teams up with Apple and Google on coronavirus tracking app

14 Apr 2020
Health sites are 'unlawfully' sharing medical data with Facebook and Google
data protection

Health sites are 'unlawfully' sharing medical data with Facebook and Google

7 Apr 2020
Supreme Court rules Morrisons was not liable for 2014 data breach
data protection

Supreme Court rules Morrisons was not liable for 2014 data breach

1 Apr 2020

Most Popular

How to find RAM speed, size and type
Laptops

How to find RAM speed, size and type

3 Aug 2020
How to use Chromecast without Wi-Fi
Mobile

How to use Chromecast without Wi-Fi

4 Aug 2020
How do you build a great customer experience?
Sponsored

How do you build a great customer experience?

20 Jul 2020