Microsoft under a cloud amid GDPR concerns over its cloud contracts
The most recent example is Microsoft. After the European Data Protection Supervisor (EDPS) voiced serious concerns about the contractual terms signed by the European Union, Microsoft undertook to react promptly (1).
Microsoft under scrutiny after EDPS’s position on its cloud contracts
In April 2019, against a background of ever-increasing threats of government access to digital data directly from cloud providers in various countries , in particular under the U.S. CLOUD Act, the EDPS launched a comprehensive investigation into the compliance of cloud contracts concluded between the European Union institutions, bodies, offices and agencies (EUIs) and Microsoft (2).
Even though EUIs are subject to their “own GDPR”— i.e. a regulation specifically applying to the processing of personal data by EUIs —namely Regulation 2018/1725 of 23 October 2018 which came into effect on 11 December 2018, the principles laid down in the GDPR and in Regulation 2018/1725 are largely the same.
The late EDPS (Giovanni Buttarelli) and the late Assistant EDPS (Wojciech Wiewiórowsk) therefore undertook an investigation to ensure that the applicable clauses of the contracts signed by EUIs comply with data protection rules and that the data protection rights of individuals are effective.
This probe was carried out in cooperation with the Dutch Ministry of Justice who had concurrently commissioned a data protection impact assessment (DPIA) on Office 365, Microsoft’s flagship office automation service, which is hosted in Microsoft’s in-house cloud services Azure.
The EDPS endorsed all the reservations contained in the Dutch DPIA and highlight in particular:
- a lack of transparency on the transfer of personal data, in particular outside the European Union;
- a lack of control, as there is no possibility to ‘take full control’ of one’s data, in particular due to the automatic activation of tools for tracing user actions and statistics;
- the difficulty for users to be able to exercise their rights in the interfaces currently available.
A so-called ‘The Hague Forum’ has been established to bring together all concerned parties (users, service providers, and any other party interested to join) with the aim to write standard clauses that can be applied to any public administration.
Recommendations on cloud contracts were first made by the European Union Agency for Cybersecurity (ENISA) in 2012 (3). Today, The Hague Forum aims to go well beyond ENISA’s recommendations at a time when the regulatory framework is increasingly precise and binding, so much so that it is even possible to consider, at least when they concern the management of personal data, that cloud contracts are now nominate contracts within the meaning of Article 1105 of the French Civil Code (4).
Microsoft announced updates to cloud contracts
In the end, Microsoft publicly made a formal commitment to review its contracts. The new version of its Online Services Terms (OST) should come into force at the beginning of 2020 (5). The changes made to the OST reflect the criticisms made by both the EDPS and the Dutch Ministry of Justice:
- A clause should guarantee the possibility for the controller to ensure effective rights for users. The data subjects must thus be provided with all useful information on the use of their data and be able to exercise their rights directly in the tools used.
- An audit clause should provide for effective audit rights and enable customers to conduct onsite audits at Microsoft’s, according to conditions to be specified. Audits were previously refused by Microsoft on the pretext that its certifications to various standards relating to the hosting of personal data, including ISO 27001 as supplemented by ISO 27018, were sufficient in themselves.
- Clarifications should be given on the NIS Directive and the obligation to notify security breaches affecting all types of data and systems to the National Cybersecurity Agency (such as ANSSI in France).
- Taking into account that the EDPS and the EDPB (European Data Protection Board) have already expressed their concerns about the CLOUD Act (6), it should be specified that the service provider undertakes to challenge its implementation before the competent judge, to the extent that this is possible under this Act.
While Microsoft has explicitly taken this position after the opinion of the EDPS, the benefits of these new contractual measures should not be limited only to the European institutions; they should also be extended to all customers, acting as controllers subject to the GDPR.
It is not clear whether these new provisions will have retroactive effect. In any event, all contract managers are urged to ensure that the Microsoft cloud contracts they have within their organisation will be subject to the new, more favourable OSTs.
Eric Le Quellenec, Les contrats informatiques et la protection des données à caractère personnel : aspects pratiques, AJ contrat, Dalloz, October 2019, p.420.
Article provided by: Eric Le Quellenec, Lawyer
Head of the IT Advisory Department, Alain Bensoussan – Lexing (France)