Microsoft updates cloud contracts after EU privacy complaints

Microsoft has announced changes to its Online Services Terms for commercial cloud customers after an EU investigation raise concerns about existing policies' compliance with European regulation.

The company bills the changes as the introduction of "more privacy transparency" in the wake of a probe into potential violations of GDPR relating to telemetry data collected from Office 365 users. Microsoft says the new contractual terms will be offered to customers globally, not just within Europe.

See also:

• Microsoft is blocking the Windows 10 November 2019 Update on systems with certain Realtek Bluetooth drivers
• Microsoft is killing off Cortana for some users
• Amazon fights Microsoft's JEDI contract win in court over bias claims

Microsoft's chief privacy office, Julie Brill, says that the changes that are being introduced were developed with the Dutch Ministry of Justice and Security (Dutch MoJ) as well as public sector customers. The Dutch MoJ is involved because this is the group who found that Microsoft Office telemetry collection violated GDPR.

In a blog post about the changes, Brill says:

Through the OST update we are announcing today we will increase our data protection responsibilities for a subset of processing that Microsoft engages in when we provide enterprise services. In the OST update, we will clarify that Microsoft assumes the role of data controller when we process data for specified administrative and operational purposes incident to providing the cloud services covered by this contractual framework, such as Azure, Office 365, Dynamics and Intune. This subset of data processing serves administrative or operational purposes such as account management; financial reporting; combatting cyberattacks on any Microsoft product or service; and complying with our legal obligations.

The change to assert Microsoft as the controller for this specific set of data uses will serve our customers by providing further clarity about how we use data, and about our commitment to be accountable under GDPR to ensure that the data is handled in a compliant way.

She goes on to explain: "Meanwhile, Microsoft will remain the data processor for providing the services, improving and addressing bugs or other issues related to the service, ensuring security of the services, and keeping the services up to date".

Microsoft will introduce the changes in all new contract provisions globally from the beginning of 2020.

Image credit: Emilija Miljkovic / Shutterstock