The European Data Protection Supervisor has expressed "serious concerns" that Microsoft may have violated data protection laws through product and service agreements with EU institutions, preliminary results of an investigation have revealed.
The early results follow an initial probe by the Dutch data regulator into the data collection practices of Windows Pro and Windows 10 Home, based on their testing of changes to Microsoft's data collection policies.
After finding issues with Microsoft's data practices in 2018, the Minister of Justice and Security warned users to ditch OneDrive and Office 365 in the interim before demanding changes from the software giant.
Further checks in August of the changes Microsoft had since implemented showed that despite "concrete improvements", the company was still remotely collecting some forms of data from its users. This, according to investigators, constituted a potential violation of the General Data Protection Regulation (GDPR).
The EDPS, an independent organisation that manages the application of GDPR across the continent, has subsequently weighed in with the results of its own probe into contracts Microsoft has agreed with EU institutions.
The EDPS also organised an EU software and cloud suppliers customer council in the Hague on 29 August, which led to the creation of the Hague Forum.
This collective aims to discuss how to take back control over IT services offered by big tech companies, while establishing how institutions can establish standard contractual terms instead of accepting vendor-led user agreements.
"We expect that the creation of The Hague Forum and the results of our investigation will help improve the data protection compliance of all EU institutions," said assistant EDPS Wojciech Wiewirowski.
"The agreement reached between the Dutch Ministry of Justice and Security and Microsoft on appropriate contractual and technical safeguards and measures to mitigate risks to individuals is a positive step forward.
"Through The Hague Forum and by reinforcing regulatory cooperation, we aim to ensure that these safeguards and measures apply to all consumers and public authorities living and operating in the EEA."
The EDPS also warned that outsourcing the processing of personal data still means organisations are accountable for the activities conducted on their behalf.
-
Should AI PCs be part of your next hardware refresh?AI PCs are fast becoming a business staple and a surefire way to future-proof your business
-
Westcon-Comstor and Vectra AI launch brace of new channel initiativesNews Westcon-Comstor and Vectra AI have announced the launch of two new channel growth initiatives focused on the managed security service provider (MSSP) space and AWS Marketplace.
-
Tech leaders worry AI innovation is outpacing governanceNews Business execs have warned the current rate of AI innovation is outpacing governance practices.
-
Top data security trendsWhitepaper Must-have tools for your data security toolkit
-
SEC data breach rules branded “worryingly vague” by industry bodyNews The new rules announced last week leave many questions unanswered, according to security industry experts
-
The gratitude gapWhitepaper 2023 State of Recognition
-
Meta sues ‘data scraping for hire’ service that collected info on 600k usersNews Meta says tackling data scraping will require a “collective effort” from platforms and policymakers
-
Building a data governance strategy in 2023In-depth Data governance will continue to expand as attitudes change and businesses look to optimise the value of their data
-
FCC plans strict overhaul of 15-year-old US data breach regulationsNews Telcos could no longer be able to use negligence as a defence for data breaches as the FCC also seeks to hasten public notification of breaches
-
UK follows EU in securing data deal with South KoreaNews The deal will foster cross-border collaboration between businesses by reducing administrative and financial frictions
