The European Union's Data Protection Supervisor (EDPS) has announced an investigation into Microsoft products used by EU institutions.
The probe will build a list of Microsoft wares in use by official bloc bodies and check that the "contractual arrangements" between the two are "fully compliant with data protection rules".
The move is at least partially in response to a report commissioned by the Dutch government that found that the software giant's Office Pro Plus application suite, which includes the likes of Word and Outlook, was collecting all manner of data and stashing it on US-based servers.
That got regulators a little hot under the collar since such activities are very much frowned upon under General Data Protection Regulation (GDPR). Users can alter the amount of data slurped by Microsoft's productivity applications (assuming they can find the settings) but not easily turn it off completely.
The EDPS noted that any EU institutions using the applications investigated in the Dutch report will face similar issues including, according to the watchdog, "increased risks to the rights and freedoms of individuals".
The EDPS is responsible for monitoring the GDPR compliance of EU institutions, as well as making sure the public is aware of the risks associated with personal data being flung around the hallowed halls of the EU (or possibly around the US-based clouds of software giants.)
Oops! Almost a year in and ICO staff haven't been handed a GDPR privacy notice yetREAD MORE
It will then work with national authorities to mitigate those risks.
Politico reported in February that Microsoft and the Dutch Ministry of Justice had come up with a solution to the data slurpage worries in the form of an update due by the end of April. If Microsoft's responses were not to the liking of Dutch lawmakers, the ministry could go running to the European data protection authorities.
The EU is not noted for its lightning reflexes, and a spokesperson for the EDPS told The Register that it was difficult to say how long the investigation would take. "Some months for sure."
A Microsoft spokesperson told us: "We are committed to helping our customers comply with GDPR, Regulation 2018/1725, and other applicable laws and are confident that our contractual arrangements allow customers to do so. We stand ready to help our customers answer any questions the European Data Protection Supervisor may have." ®