[German]Next turn in Microsoft and data protection regulation. The European Data Protection Supervisor (EDPS) have now again expressed concerns regarding the conformity of Microsoft products with regard to the GDPR. The EDPS is working to ensure that the same data protection rules apply to all authorities and users within the European Economic Area (EEA) when concluding contracts with Microsoft. This also applies to the processing of data in the cloud.
Specifically, the European Data Protection Supervisor has issued a press release entitled EDPS investigation into IT contracts: stronger cooperation to better protect rights of all individuals.
The EDPS is concerned that Microsoft is taking the data protection stance of the individual authorities in the Member States. The EU Data Protection Supervisor’s perspective: Cooperation between Member State authorities, EU institutions and other international organisations is essential to ensure that contractual arrangements and measures with Microsoft ensure an equal level of protection of individual rights throughout the European Economic Area (EEA).
Amended contract terms, technical guarantees and attitudes agreed between the Dutch Ministry of Justice and Security and Microsoft to better protect individual rights show that there is considerable room for improvement in the development of contracts between public administrations and the most efficient software developers and online service providers.
The EDPS considers that such solutions should be extended not only to all public and private entities in the EU, which is our short-term expectation, but also to individuals. A good approach, as the basic data protection regulation requires exactly that.
In April 2019, the European Data Protection Supervisor (EDPS) launched an investigation into the use of Microsoft products and services by EU institutions. The investigation identified the Microsoft products and services used by the EU institutions and examined whether the contractual arrangements between Microsoft and the EU institutions fully comply with data protection rules. The EDPS also examined whether there are appropriate measures in place to mitigate the risks to the data protection rights of individuals when EU institutions use Microsoft products and services.
Interim results available
Although the investigation has not yet been completed, preliminary results show serious concerns about compliance with the relevant contractual terms, including data protection rules and Microsoft’s role as a processor for EU institutions using its products and services.
Similar risk assessments have been carried out by the Dutch Ministry of Justice and Security, confirming that the authorities in the Member States face similar problems. ogether with the Dutch Ministry of Justice and Security, the EDPS organised the first EU software and cloud suppliers customer council on 29 August 2019 in Den Hague. There, the participants founded the Hague Forum. The Council will discuss how to regain control over the IT services and products offered by the major IT service providers. However, it should also discuss the need to jointly conclude standard contracts instead of accepting the conditions set by these providers.
The EDPS encourages all interested parties to join the Forum and help EU Data Protection Officers to establish fair contractual conditions for the public administration. The main objective is to work in synergy and to apply best practices in outsourcing services, in particular in a cloud environment.
Expectation: compliance with data protection rules
Wojciech Wiewiórowski, Assistant EDPS, said: “We expect that the creation of The Hague Forum and the results of our investigation will help improve the data protection compliance of all EU institutions, but we are also committed to driving positive change outside the EU institutions, in order to ensure maximum benefit for as many people as possible. The agreement reached between the Dutch Ministry of Justice and Security and Microsoft on appropriate contractual and technical safeguards and measures to mitigate risks to indviduals is a positive step forward. Through The Hague Forum and by reinforcing regulatory cooperation, we aim to ensure that these safeguards and measures apply to all consu
When using the products and services of IT service providers, EU institutions outsource the processing of large amounts of personal data. Nevertheless, they remain accountable for any processing activities carried out on their behalf. They must assess the risks, and have appropriate contractual and technical safeguards in place to mitigate those risks. The same applies to all controllers operating within the EEA.
As the late EDPS Giovanni Buttarelli emphasised in a blogpost in April 2019, transparency is vital to ensuring data and consumer protection in contractual agreements. Not only does it help expose any practices designed to nudge people towards accepting excessive personal data processing or rushing into purchase decisions but, when signing up to a service, people should not be compelled to accept personal data processing that they are not comfortable with.