EU institutions told to avoid Microsoft software after licence spat

A screenshot of a product page showing each piece of software included in the Office 365 suite

The EU’s data protection watchdog has recommended that public institutions hold back on purchasing any Microsoft software after identifying several major concerns with existing contractual terms.

Arrangements between Microsoft and EU institutions, spanning the work activities of around 45,000 officials, amounts to relinquishing their roles as data controllers over to the US software giant, the European Data Protection Supervisor (EDPS) has concluded.

This has been deemed “inappropriate”, according to a report, given the role of EU institutions as public service organisations. These institutions comprise bodies critical to the functioning of the EU, including the European Parliament, European Council, and the European Commission, as well as organisations like the European Central Bank, and the European Court of Justice.

Alarmingly, Microsoft can unilaterally define and change parameters of data processing carried out on behalf of the EU, with these terms risking undermining the rights of data subjects, the EDPS report found.

The EU, more significantly, has little capacity to ensure GDPR cannot be violated as there is little oversight over how the data is processed, where it’s processed, and by which sub-processors.

Once in an agreement with the company, EU bodies are unable to control a large portion of the data processed by Microsoft, and are unable to properly control what is transferred out of the EU.

There are no safeguards to ensure, for example, data protection standards are upheld if Microsoft transports EU officials’ data to a US-based server, with few guarantees to ensure Microsoft only discloses personal data as permitted by EU law.

EU institutions, as a result, should “carefully consider” any purchases of Microsoft products or services, or enrolling new users into already purchased software, until they have analysed and implemented the EDPS’ recommendations.

Bodies, furthermore, should properly embed data protection policies in each specific public information and communications technology procurement procedure, specifying the desired security and data protection measures.

“It is not appropriate that the data of people collected in the provision of services to public authorities is processed for their own purposes by these service providers,” said European Data Protection Supervisor Wojciech Wiewiórowski.

“By sharing technical expertise and by reinforcing regulatory cooperation through this Forum, we can also contribute to ensuring the same level of data protection safeguards and measures for all consumers and public authorities living and operating in the EEA”.

The EDPS has recommended that EU institutions act immediately to retain controllership over data processing activities. European organisations must also put in place a comprehensive controller-processer agreement, with more control over which sub-processors Microsoft use, as well as retaining a right to audit sub-processors.

Similar concerns, regarding a lack of oversight as to where Microsoft processes data, saw a ban on Office 365 products implemented across schools in a German region last year.

The German state of Hesse, and its data protection authority, imposed restrictions on the use of Microsoft software in July 2019 after ruling that Office 365 exposed information on students on teachers to potential access by US officials. This ban was subsequently lifted on a temporary basis.

The EDPS’ concerns are similar in nature to that case, with uncertainty over how the data is being processed arising as a result of Microsoft assuming the in-effect role of data controller due to the licences being struck.

Alarmingly, many of these concerns have arisen as a result of gaps in the contractual drafting, and are not by design, with Microsoft being granted far-reaching rights by default.

The report has recommended that each EU institution should act as the sole data controller with respect to the use of Microsoft software when performing tasks related to public service. Changes to the terms of previously-struck agreements, meanwhile, should only be changed by common agreement, and not unilaterally.

These recommendations sit alongside a vast number that the EDPS suggests should urgently be implemented before the EU procures any further products developed by Microsoft. They include the right to audit sub-processors, and provisions to grant the EU far more oversight over the international transfer of data.

EU institutions, finally, should be more open when it comes to sharing technical expertise with each other to ensure unlawful transfers of personal data to Microsoft are limited. Where EU bodies plan to use Microsoft products not already in use, they should also perform comprehensive data protection impact assessments prior to deployment.

IT Pro has asked Microsoft for its response to the decision.

Keumars Afifi-Sabet

Keumars Afifi-Sabet is a writer and editor that specialises in public sector, cyber security, and cloud computing. He first joined ITPro as a staff writer in April 2018 and eventually became its Features Editor. Although a regular contributor to other tech sites in the past, these days you will find Keumars on LiveScience, where he runs its Technology section.