Cooperation between public authorities in the Member States, EU institutions and other international organisations is essential to ensure that contractual arrangements and measures with Microsoft provide the same level of protection for individual rights throughout the European Economic Area (EEA). Amended contractual terms, technical safeguards and settings agreed between the Dutch Ministry of Justice and Security and Microsoft to better protect the rights of individuals shows that there is significant scope for improvement in the development of contracts between public administration and the most powerful software developers and online service outsourcers. The EDPS is of the opinion that such solutions should be extended not only to all public and private bodies in the EU, which is our short-term expectation, but also to individuals, the Assistant EDPS said today.

In April 2019, the European Data Protection Supervisor (EDPS) launched an investigation into the use of Microsoft products and services by EU institutions. The investigation identified the Microsoft products and services used by the EU institutions and assessed whether the contractual agreements concluded between Microsoft and the EU institutions are fully compliant with data protection rules. The EDPS also considered whether there were appropriate measures in place to mitigate risks to the data protection rights of individuals when EU institutions use Microsoft products and services.

Though the investigation is still ongoing, preliminary results reveal serious concerns over the compliance of the relevant contractual terms with data protection rules and the role of Microsoft as a processor for EU institutions using its products and services. Similar risk assessments were carried out by the Dutch Ministry of Justice and Security confirmed that public authorities in the Member States face similar issues.

Together with the Dutch Ministry of Justice and Security, the EDPS organised the first EU software and cloud suppliers customer council in The Hague on 29 August 2019, where participants established The Hague Forum, which aims to discuss both how to take back control over the IT services and products offered by the big IT service providers and the need to collectively create standard contracts instead of accepting the terms and conditions as they are written by these providers. The EDPS encourages all concerned parties to join the Forum and help us to set fair contractual terms for public administration, working in synergy and exchanging best practices in outsourcing services, especially in the demamding cloud environment.

Wojciech Wiewiórowski, Assistant EDPS, said: “We expect that the creation of The Hague Forum and the results of our investigation will help improve the data protection compliance of all EU institutions, but we are also committed to driving positive change outside the EU institutions, in order to ensure maximum benefit for as many people as possible. The agreement reached between the Dutch Ministry of Justice and Security and Microsoft on appropriate contractual and technical safeguards and measures to mitigate risks to indviduals is a positive step forward. Through The Hague Forum and by reinforcing regulatory cooperation, we aim to ensure that these safeguards and measures apply to all consumers and public authorities living and operating in the EEA.”

When using the products and services of IT service providers, EU institutions outsource the processing of large amounts of personal data. Nevertheless, they remain accountable for any processing activities carried out on their behalf. They must assess the risks, and have appropriate contractual and technical safeguards in place to mitigate those risks. The same applies to all controllers operating within the EEA.

As the late EDPS Giovanni Buttarelli emphasised in a blogpost in April 2019, transparency is vital to ensuring data and consumer protection in contractual agreements. Not only does it help expose any practices designed to nudge people towards accepting excessive personal data processing or rushing into purchase decisions but, when signing up to a service, people should not be compelled to accept personal data processing that they are not comfortable with.