Microsoft’s contracts with European Union institutions do not fully protect data in line with EU law, the European Data Protection Supervisor (EDPS) said in initial findings published on Monday (21 October).
The EDPS, the EU’s data watchdog, opened an investigation in April to assess whether contracts between Microsoft and EU institutions such as the European Commission fully complied with the bloc’s data protection rules.
“Though the investigation is still ongoing, preliminary results reveal serious concerns over compliance of the relevant contractual terms with data protection rules and the role of Microsoft as a processor for EU institutions using its products and services,” the EDPS says in a statement.
The EU introduced new rules on data protection in 2018, known as GDPR, applicable to all companies operating in the bloc and designed to give individuals more control over their personal data and to create a more level playing field for businesses.
“We are committed to helping our customers comply with GDPR, Regulation 2018/1725 and other applicable laws,” a Microsoft spokesman said.
“We are in discussions with our customers in the EU institutions and will soon announce contractual changes that will address concerns such as those raised by the EDPS.”
The EDPS has worked with the Dutch ministry of justice, which carried out risk assessments last June and found that public authorities in member states face similar issues
The two have since set up a forum designed to set up fair rules for public administrations.
The EDPS said there is “significant scope” for improvement of contracts with powerful software developers and that contractual terms and technical safeguards agreed between the Dutch ministry and Microsoft were a positive step forwards.
The EDPS said such solutions should be extended to all public and private bodies in the EU and also to individuals.