EU institution staff ‘unaware’ of Microsoft data misuse, EU data chief says

Microsoft booth at Japan CEATEC in Makuhari city, east of Tokyo, 30 September, 2008 (reissued 23 October 2019). [EPA-EFE/EVERETT KENNEDY BROWN]

Members of staff working across the EU institutions are “not aware” of the extent to which the US tech firm Microsoft collects and stores their data as part of the use of their products and services, the EU’s data protection watchdog has told EURACTIV.

The European Data Protection Supervisor (EDPS) had previously disclosed in October that they had “serious concerns” with regards to “the compliance of the relevant contractual terms with data protection rules and the role of Microsoft as a processor for EU institutions.”

The issue centres around the concern that the contractual terms under agreements for the provision of Microsoft products and services to the EU institutions could be in breach of EU data protection law.

The acting EDPS head, Wojciech Wiewiórowski, told EURACTIV on Wednesday (6 November) that EU institution staff “are not aware of all the data which is collected by Microsoft,” adding that the EDPS is in the process of drafting a set of guidelines to submit to the Commission concerning the necessary revisions that need to be made to the contractual agreements with Microsoft, in order for data protection standards to be met. The guidelines are due to be sent to the Commission by the end of November.

Wiewiórowski added that the EU’s data protection watchdog also had concerns over the fact that the contracts, which were signed by the Commission’s DG DIGIT in 2018, only allow for unilateral revisions to be made by the provider, Microsoft.

A further worry that the EDPS have is the fact that there is the “limited possibility of conducting audits,” in the contractual agreements, meaning that there is no set framework for the examination of compliance with standards and practices.

Other public administrations in the EU have also raised concerns on the signing of contracts with Microsoft for the provision of products and services. The Dutch Ministry of Justice and Security conducted an assessment earlier in the year, which brought to light similar issues. After a protracted negotiation, Microsoft agreed to the revision of contractual clauses earlier this year, which if replicated for the EU institutions, would also meet the recommendations that the EDPS are submitting to the Commission.

In a statement, a Microsoft spokesperson said that the company is “committed to helping our customers comply with GDPR, Regulation 2018/1725, and other applicable laws. We are in discussions with our customers in the EU institutions, and will soon announce contractual changes that will address concerns such as those raised by the EDPS.”

Wiewiórowski’s bid for the top job

Wiewiórowski is staking his claim for the EU’s top data protection job, following the death of the previous head of the EDPS, Giovanni Buttarelli earlier this year. A shortlist of potential candidates for the role has been sent to the European Parliament, and a decision on the next head will have to be made by the end of the current term on December 5.

One EU official familiar with the subject told EURACITV that Wiewiórowski’s appointment, although a “rational choice” is “far from certain,” as approval is needed by both by the Parliament and the Council.

Earlier this week, Wiewiórowski informed EURACTIV about a number of pressing concerns related to the future of the EU’s data protection playing field. The most important areas to make headway in concern the legal challenge of making European solutions the “benchmark” for other data protection regimes around the world, such as the US and China; establishing smart and accountable public institutions whereby EU institutions are fully aware of all the data collected in its operations; and thirdly helping make “data protection go smart”  – in this regard, Wiewiórowski says, “the law is not enough” and digital systems and architectures are created at each step of the way with the importance of data protection in mind.

China & Brexit

More broadly, Wiewiórowski has concerns about the EU’s future relationships with political regimes that do not share the same values as Europe.

“We do not share basic principles with China,” he said. “When I meet a representative of a company like Huawei, they always tell me that they never collect data secretly and the data they do collect is never sent to China. But my question is this: where is the legal and independent assurance of their claims.”

Elsewhere, the issue of the UK’s impending departure from the EU is very much on Wiewiórowski’s radar. Speaking at Lisbon’s Web Summit this week, the EU’s Brexit negotiator Michel Barnier highlighted the need for data agreements to be secured between the UK and the EU post-Brexit, reiterating a commitment outlined in the political declaration. In order to form an agreement, the EU will have to conduct an evaluation of the UK’s data protection standards, despite the UK committing to maintaining the general framework of the GDPR. However,  there could be serious bumps in the road, especially when taking into account the UK’s previous ‘questionable’ track record in mass surveillance programs and the fact that the ECHR ruled in September 2018 that the U.K. had breached human rights in its mass surveillance program.

Nevertheless, Wiewiórowski is staying optimistic, should the UK leave the EU with a deal. If not, the process becomes more challenging, but, if the EU can establish adequacy agreements with countries such as Israel – a country with questionable data protection standards, Wiewiórowski says, then the UK shouldn’t be an issue.

Facial recognition

Elsewhere, an area in which the EU should be seen to be making proactive steps in, Wiewiórowski believes, is in the field of facial recognition, which remains a woefully unregulated area.

In a recent blog post, he highlighted the use of facial recognition for unethical means worldwide, particularly in Hong Kong, where there have been concerns that the technology is being used to track protestors. The wearing of masks by demonstrators has become a symbol of resistance against the authoritarian employment of facial recognition technology.

However, in Europe, a “general ban” is not the answer, Wiewiórowski believes. But subject of how the technology could be regulated should be on everyone’s lips in Brussels. “Where are the places that we want to see the most made out of this technology, and where are the places that we don’t.”

“I’m not ashamed that we don’t know the answers to these questions yet, I’m ashamed that we don’t ask the questions,” he said.

(Edited by Benjamin Fox)

Subscribe to our newsletters