The European Data Protection Supervisor (EDPS) has expressed "serious concerns" over whether the contractual terms of agreements between EU institutions and Microsoft, for use of products such as Windows and Office 365, is compliant with data protection rules.
The statement is the preliminary result of an ongoing investigation launched in April to identify Microsoft products and services licenced by EU bodies and agencies, and to assess whether the Ts&Cs under which they are used complies with the GDPR, the EU's data protection legislation.
The spotlight is as much on EU institutions as it is on Microsoft, since it is the institutions that are accountable for data processed on their behalf, even if that processing is outsourced to Microsoft.
That said, the problem exists because of Microsoft's data collection practices. This was probed by the Dutch Ministry of Justice and Security, which has published the results in a series of papers. These documents are required reading for those interested in the nuances of telemetry, data collection, personalisation, and the roles of different organisations as defined in the GDPR.
Issues analysed by the Dutch report include the impact of Windows telemetry settings on what data is sent to Microsoft, what personal data if any is sent, and whether this data is processed in the EU or the USA.
The report into Windows 10 notes that where data is used to improve Windows 10 security and reliability, the interests of Microsoft and the Dutch government are aligned. But when data is used to develop new services or "detect usage of products of competitors", this "serves the commercial interests of Microsoft, while the government already pays with money for the software".
There is a specific issue with the Windows Timeline, which stores activity in the cloud so that users can resume later or on another device. Users have to consent to personal data being used for this, but because of the vague and generic terms on offer, "the consent is not informed nor specific". When you then add into the mix the rights of employees, the report concludes that "as joint controllers [neither] Microsoft nor the government organizations can obtain valid consent". The report "recommends that government administrators disable Timeline completely".
The way Windows 10 is configured is critical, and the report concludes that if the Timeline is disabled and telemetry set to the lowest level, there are "no high data protection risks resulting from the diagnostic data collection in Windows 10".
The Dutch report on Office 365 is less positive, particularly with regard to Office mobile apps and Office Online, for which "five high data protection risks" are identified. "Until Microsoft takes measures to mitigate these risks, government organisations should refrain from using Office Online and the mobile Office apps included in Office 365 licence," it states. There is also advice that "in order to prevent continued vendor lock-in, government organisations are advised to conduct a pilot with alternative open-source productivity software". That said, if all recommended measures are followed, "there are no more known high data protection risks for data subjects related to the collection of data about the use of Microsoft Office 365 ProPlus", it concludes.
In July 2019, the Dutch government published a "State of Play" memo [PDF] indicating that Microsoft had largely resolved the issues which prevented Office from meeting GDPR requirements. "Microsoft has now made the most urgent changes in accordance with the improvement plan. These were tested by SLM Microsoft Rijk in June 2019 and found to be in order," it says.
This explains why the EDPS now states that the agreement forged between Microsoft and the Dutch government is a model for the rest of the EU. "The EDPS is of the opinion that such solutions should be extended not only to all public and private bodies in the EU, which is our short-term expectation, but also to individuals."
Overall then, the statement by the EDPS of "serious concerns" is not as bad for Microsoft as it first appears. A Microsoft/EU software and cloud suppliers customer council, with the goal of forming a "joint procurement approach to software and cloud suppliers", has created a Hague Forum to carry forward the project of "how to take back control over the IT services and products offered by the big IT service providers".
Many questions remain, not least the extent to which organisations and individuals are willing to disable Windows and Office 365 features for the sake of GDPR compliance. The Dutch memo, for example, stipulates that you should disable LinkedIn integration and not use Office Online or the mobile Office apps. In addition, Microsoft's MyAnalytics and Delve services have not been assessed at all. Microsoft's product development strategy seems to focus on AI driven by machine learning and is therefore likely to bump up against more compliance issues in future.
The Dutch investigation demonstrates that trying to apply generic data protection laws to cloud services of the scope and complexity of Office 365 is a difficult undertaking and unlikely to discover all the nuances and implications of the various data flows.
Finally, those hoping that the EU will change direction away from Microsoft and towards open-source solutions will find little comfort in the EDPS statement, despite a few nods in that direction. With Microsoft seemingly embedded in the discussion, it seems unlikely to be removed as a "strategic vendor". ®