Microsoft Updates Privacy Terms Following EU Probe

Marco Green
November 19, 2019

The European Data Protection Supervisor also launched an investigation in April after it found EU institutions using Microsoft services may be subject to similar problems. Microsoft 365 rolls out tools to help Microsoft wants to make it easier for organizations to deal with new privacy regulations like EU's GDPR.

A study commissioned by the Dutch government a year ago found that Microsoft was violating the EU's General Data Protection Regulation as it failed to disclose fully how it collects and uses data on users of cloud products such as Office and sends this to the United States for processing.

The vendor stated that the move provides clarity to its customers about its compliance under GDPR and was formulated in conjunction with the Dutch Ministry of Justice and Security (MoJ), which also previously criticised Microsoft's data protection capabilities.

Microsoft has announced changes to its privacy policy for customers using online services, following concerns from the Dutch government over disclosure of how it handles customer data.

She continued: "Our updated OST will reflect contractual changes we have developed with one of our public sector customers, the Dutch Ministry of Justice and Security (Dutch MoJ)".

As a result of the probe, Microsoft has revealed its updated Online Services Terms (IOST), which it claims will increase its data protection responsibilities for a segment of its enterprise customers. Anxious that some of the data-handling procedures in Office 365 and Office mobile apps were not in compliance with GDPR guidelines, the ministry went so far as to warn other European governments not to use the Microsoft services.

"EU institutions rely on Microsoft services and products to carry out their daily activities". In the OST update, we will clarify that Microsoft assumes the role of data controller when we process data for specified administrative and operational purposes incident to providing the cloud services covered by this contractual framework, such as Azure, Office 365, Dynamics and Intune.

Microsoft has already started the work to adopt the updated OST and it will bring it to all public sector and enterprise customers globally at the beginning of 2020.

The company's changes to its "Online Services Terms" in the European Union were announced by Microsoft's chief privacy officer Julie Brill, who claimed that it was a result of "additional feedback we've heard from our customers".

"This subset of data processing serves administrative or operational purposes such as account management; financial reporting; combating cyberattacks on any Microsoft product or service; and complying with our legal obligations". It also supports Microsoft's commitment to be accountable under GDPR.

Microsoft now designates itself as a data processor, rather than data controller for these administrative and operations functions that can be linked to provision of commercial cloud services, such as its Azure platform.

Other reports by Click Lancashire

Discuss This Article