The investigation identified the Microsoft products and services used by the EU institutions and assessed whether the contractual agreements concluded between Microsoft and the EU institutions complied with the GDPR (1). Microsoft responded by reviewing its Online Services terms (OST) (2).
On 2 July 2020, the EDPS issued its findings and recommendations from the investigation into EU institutions’ use of Microsoft products and services (3).
A - MICROSOFT AS CONTROLLER
According to the EDPS, Microsoft acts as a “controller”. The EDPS made three main criticisms against the considerable leeway left to Microsoft by the EU institutions in this regard (4).
1. Microsoft’s right of unilateral amendment
The Inter-Institutional Licence Agreement (ILA) signed with Microsoft granted Microsoft an unlimited right to modify all the sets of standard terms that were incorporated into it by reference.
In addition, it was possible for Microsoft to make far-reaching changes to the data protection terms of the ILA by changing a set of standard terms incorporated into it. For example, in January 2020, Microsoft moved a number of important data protection terms out of the OST and into a new standard document, called the “Data Protection Addendum”.
The content of those data protection terms also underwent substantial revision.
Moreover, at the time the EDPS concluded its investigation, there was no express contractual link between the Data Protection Addendum and the ILA, such as a statement in the OST that the Data Protection Addendum formed part of the OST.
Overall, the EDPS considered that there was a high risk that Microsoft could change, for example, the purposes for which it processed personal data, the location of data and the rules governing disclosure and transfer of data, without EU institutions having any contractual recourse against the changes.
2. The limited scope of the data protection obligations in the ILA (limited data protection obligations)
Some categories of data gathered and used by Microsoft as a consequence of the EU institutions’ use of its products and services fell outside of the scope of contractual protections altogether.
In the EDPS’ view, EU institutions had few or no contractual controls over what personal data was collected by Microsoft from users or what Microsoft could do with those data unless the data had been provided via online services and were certain to remain within that category.
3. The lack of specific and explicitly defined purposes for the processing that occurred under this framework (insufficient purpose limitation)
In the context of a detailed and complex agreement between sophisticated operators affecting a large number of data subjects, the EDPS considers that it is appropriate that specification of permitted purposes for processing leave little doubt as to what is and is not included within the purpose. In the EDPS’s view, the statement of purpose in the ILA left far too much room for interpretation.
In addition, a number of difficulties remained with the clarity of the purpose limitation. For example, the Data Protection Addendum included “providing personalized user experiences” within the definition of what it meant to “provide” an online service. This directly conflicted with the default prohibition on “user profiling”, raising a question as to how narrowly Microsoft interprets “user profiling”.
RECOMMANDATIONS: Given the risks associated with Microsoft exercising controllership, the EDPS recommended that EU institutions act as sole controller and take the following actions:
- Each EU institution should act as sole controller in respect of its use of Microsoft products and services when performing tasks in the public interest or in the exercise of official authority;
- The umbrella licence agreement should provide for an unambiguous order of precedence;
- The amendments that EU institutions negotiated to Microsoft’s standard terms should be included in the highest-ranking contractual document. So should all the provisions necessary to comply with Regulation (EU) 2018/1725 (a regulation specifically applying to the processing of personal data by EU institutions, i.e. the equivalent of the GDPR for EU institutions);
- It should only be possible to change provisions in the ILA that EU institutions signed with Microsoft affecting data protection by common agreement;
- The scope of provisions in the ILA affecting data protection should be broadened to cover all personal data not only provided to Microsoft but also generated by Microsoft, as a consequence of the EU institutions’ use of all Microsoft products and services;
- EU institutions should negotiate a specific, explicit and exhaustive set of purposes to cover all types of personal data involved in their use of Microsoft products and services. The purposes should be limited to those that were necessary for EU institutions to use those products and services. Other purposes should be expressly prohibited.
B - EU INSTITUTIONS’ LACK OF CONTROL OVER SUB-PROCESSORS
The EDPS regrets a lack of control of European institutions, which was apparent in particular from the following elements (5):
- The negotiated data protection terms of the umbrella agreement contained what appeared to be a general authorisation to engage sub-processors. However, it only applied to personal data provided through use of the online services. The EDPS saw no authorisations in place covering the other categories of data processed by Microsoft;
- Microsoft could arrange for so-called security audits to be performed at least yearly by external security auditors selected and paid by Microsoft. The texts did not explain the extent to which such security audits would cover data protection compliance. Nor did they confirm whether the security audits would cover all processing activities falling within the scope of the OST or only some, or also cover processing outside of the scope of the OST.
RECOMMANDATIONS: The EDPS recommended that EU institutions control use of sub-processors, ensure effective audit rights and take the following actions:
- Assess the risks posed to data subjects by sub-processors currently used by Microsoft;
- Ensure that the use of sub-processors in respect of all personal data processed by Microsoft by virtue of the ILA (and any changes of sub-processor) were subject to a prior written authorisation;
- Introduce in the ILA an obligation on Microsoft to provide complete information first, on which sub-processors were used in respect of each product or service provided to EU institutions and in respect of each processing activity and category of personal data; and second, on the data protection safeguards and security measures (i.e. technical and organisational measures) in place in respect of each sub-processor. This should include an obligation on Microsoft to provide on request the relevant parts of its contract with a particular sub-processor;
- The ILA should be amended in order to provide detailed, effective and enforceable audit rights for the controller and for the EDPS;
- The ILA should also require Microsoft to make available to EU institutions all the information that is needed to demonstrate compliance with Article 29 of Regulation (EU) 2018/1725. The contractual provisions should in the EDPS’ view cover information on the functioning of the systems used, access to data and recipients, sub-processors, security measures, retention of personal data, data location, transfers of personal data or any further processing of the personal data.
C— EU INSTITUTIONS’ LACK OF CONTROL OVER DATA LOCATION AND INTERNATIONAL TRANSFERS
The EDPS’ investigation found that EU institutions were not in a position to control the location of a large part of the data processed by Microsoft. Nor did they have full control over what is transferred outside the EU/EEA and how.
There was also a lack of proper safeguards to protect the data transferred.
RECOMMANDATIONS: In order to overcome these shortcomings, the EDPS recommended that EU institutions control data location, international transfers and disclosures of data and take the following actions:
- The ILA should include provisions detailing, in respect of each Microsoft product and service provided under it, the location of data collected and processed when EU institutions used that specific product or service;
- The ILA should explicitly require Microsoft to implement appropriate contractual, organisational and security safeguards in case of international data transfers. In particular, the ILA should require Microsoft to put in place robust security measures to cover data in transit;
- The ILA should prohibit Microsoft (and sub-processors) from disclosing personal data to Member State authorities, third-country authorities, international organisations or other third parties, unless this was expressly authorised by EU law, or by Member State law to the extent that the conditions laid down in EU law for such disclosure were fulfilled;
- The ILA should require Microsoft to inform affected EU institutions of any request Microsoft or sub-processors received for access to data, immediately upon receipt of the request. As a rule, Microsoft should redirect requests to the EU institution concerned and seek its instructions. In any event, Microsoft should challenge access requests, exhausting all available legal remedies. No disclosures of data by Microsoft or sub-processors should be permitted to take place without the prior notification, agreement and direction of the relevant EU institution and appropriate safeguards being in place. Should an EU institution choose not to disclose data, those data should only be disclosed upon order of the European Court of Justice.
Compliance with Protocol 7 of the TFEU and Regulation (EU) 2018/1725
In the medium term, if EU institutions wished to maintain the protections afforded by Protocol No 7 to the TFEU and Regulation (EU) 2018/1725 against unauthorised disclosure, they should seriously consider:
- first, ensuring that data processed on their behalf is located in the EU/EEA, and;
- second, only using service providers that were not subject to conflicting third-country laws with extra-territorial scope.
Microsoft’s response is still awaited. This time, however, it should not be limited to the simple updating of contractual documentation, but also include the change of certain sensitive technical points, in line with the necessary regionalisation of data via data
(1) EDPS investigation into IT contracts: stronger cooperation to better protect rights of all individuals, Press release, 21-10-2019.
(2) Post “Microsoft under a cloud amid GDPR concerns over its cloud contracts”, Eric Le Quellenec, 13-1-2020.
(3) EDPS Public Paper on Outcome of own-initiative investigation into EU institutions’ use of Microsoft products and services, 02-07-2020.
(4) DPS Public Paper mentioned above, 24.
(5) DPS Public Paper mentioned above, 66.
Article provided by: Eric Le Quellenec (Lexing, France)
Dr. Tobias Höllwarth (Managing Director INPLP)