EU Investigations into Microsoft

Written by: Chase Langhorne, Esq.

On October 21, the European Data Protection Supervisor (“EDPS”) issued an update on its investigation that began in April 2019 into contracts between Microsoft and EU institutions. “EU institutions” are comprised of the following seven decision making bodies of the EU: the European Parliament, the European Council, the Council of the European Union, the European Commission, the Court of Justice of the European Union, the European Central Bank, and the Court of Auditors.

The investigation focuses on whether the contracts between EU institutions and Microsoft were adequate to protect the data processed by Microsoft, specifically via its Office 365 suite of applications. The EDPS notes that the investigation is still ongoing but preliminary findings give cause for “serious concerns” over the compliance of contractual terms regarding personal data protection in the contracts that Microsoft has with public authorities. The EDPS goes on to say there is significant room for improvement in the development of contracts between “the most powerful software processors”  and private companies and public authorities alike to protect all individuals in the EU. This comment by the EDPS is in line with the underlying policy of requiring these contractual terms to limit processing of personal data to protect individuals in the EU.

The Dutch Data Protection Authority is conducting a concurrent investigation into the alleged inadequacies of Microsoft contractual terms with government entities. The Dutch DPA had an outside vendor conduct three data protection impact assessments and reached the conclusion that the Microsoft Office 365 suite of applications are collecting functional and diagnostic data from e-mail subject lines and the spell check functionality of the applications that contain personal data. The concern is that the personal data being processed to obtain this functional and diagnostic data is being used for purposes other than what is required to provide the contracted services. Not only would this be in contradiction with the existing terms of Microsoft contracts, but would also be in violation of GDPR’s requirement that personal data only be processed to the extent necessary to provide the contracted service.