EDPS publishes outcome of own-initiative investigation into EU institutions’ use of Microsoft products and services

July 5, 2020

The EDPS has issued a Public Paper setting out the issues raised by its own-initiative investigation into the use of Microsoft goods and services by European institutions. The EDPS said that its findings and recommendations from the investigation are likely to be of wider interest than just to the EU institutions: they may be of particular interest to all public authorities in EU/EEA member states.  They may help when contracting ICT services, because of the similarities between the GDPR and Regulation (EU) 2018/1725 which applies to the EU institutions.

The EDPS Strategy 2020-2024 highlighted digital sovereignty as a key part of the strategy and the Public Paper emphasises that when public administrations enter into contractual relationships with ICT service providers, the terms of these contracts should reinforce the EU institutions’ control over how and why personal data is processed. Therefore, the EDPS recommends that the roles and responsibilities of data processors and sub-processors should be clearly defined and monitored to minimise risks for the privacy of individuals.

The EDPS assessed the compliance of the licensing agreement between Microsoft and the EU institutions against the requirements set out in Regulation (EU) 2018/1725. 

Key findings of the report

First, the licensing agreement between Microsoft and the EU institutions allowed Microsoft to define and change the parameters of its processing activities carried out on behalf of EU institutions and contractual data protection obligations. The discretion that Microsoft had, amounted to a broad right for Microsoft to act as a controller. Given the EU institutions’ role as public service institutions, the EDPS does not consider this to be appropriate. The EDPS recommend to EU institutions that they act to retain controllership.

Second, EU institutions need to put in place a comprehensive and compliant controller-processor agreement and documented instructions of the EU institutions to the processors. Their lack of control over which sub-processors Microsoft used and lack of meaningful audit rights also present significant issues. The EDPS has made recommendations on how to improve the controller-processor agreement and put robust audit checks in place.

Third, a number of linked issues exist, concerning data location, international transfers and the risk of unlawful disclosure of data. EU institutions are unable to control the location of a large portion of the data processed by Microsoft. Nor have they properly controlled what is transferred out of the EU/EEA and how. There is also a lack of proper safeguards to protect data that leaves the EU/EEA. EU institutions also had few guarantees at their disposal to defend their privileges and immunities and ensure that Microsoft would only disclose personal data to the extent permitted by EU law. The EDPS has made recommendations to assist EU institutions in addressing these issues.

Fourth, the EDPS considered the technical measures that the European Commission had put in place to stem the flow of personal data generated by Microsoft products and services and sent to Microsoft. The EDPS recommends that all EU institutions perform tests using a revised and comprehensive approach, share among them the knowledge and technical solutions they developed to prevent unauthorised data flows to Microsoft and inform each other of any data protection issues they identify with the products or services.

Finally, the EU institutions have insufficient clarity as to the nature, scope and purposes of the processing and the risks to data subjects to be able to meet their transparency obligations towards data subjects. The EDPS recommends that EU institutions seek the clarity and assurances allowing them to keep data subjects properly informed.