Almost seven months after the opening of its investigation, the European Data Protection Supervisor (EDPS) seems far from reassured by the level of protection of personal data guaranteed by Microsoft software used by the European institutions. On Monday, October 21, it reiterated its concerns.
Since April (see EUROPE 12231/9), the EDPS has been investigating whether contracts between Microsoft and the European institutions fully complied with European data protection rules.
“Though the investigation is still ongoing, preliminary results reveal serious concerns over compliance of the relevant contractual terms with data protection rules and the role of Microsoft as a processor for EU institutions using its products and services”, the EDPS said in a statement.
However, it considers that the agreement reached in early May between the Dutch Ministry of Justice and Security and Microsoft on new general confidentiality conditions for digital workstations of the Dutch government to mitigate the risks identified is a “positive step forwards”.
The Dutch Ministry of Justice and Security was particularly concerned about Microsoft's large-scale collection of personal data, without properly informing its users, through Office.
The agreement provides, notably, that Microsoft should not process usage data for profiling, data analysis, market research or advertising purposes. It also grants effective audit rights to the Dutch government.
According to the EDPS, these solutions should be extended not only to all public and private bodies in the EU, but also to individuals. The contracts with Microsoft should also provide the same level of protection throughout the European Economic Area, it said.
A Microsoft spokesperson, quoted by Reuters, reportedly confirmed that the company would soon announce contractual amendments for the European institutions that should address the concerns raised by the EDPS. (Original version in French by Marion Fontana)