The Microsoft Data Scandal: Are EU Institutions Next?

Following the Microsoft data scandal uncovered by the Dutch ministry, the European Data Protection Supervisor (EDPS) has launched an investigation into the contractual agreements concluded between EU institutions and Microsoft.

Their question: as a data controller, how much responsibility does an EU institution have over its data processor, Microsoft?

The Microsoft Data Scandal

An inquiry lead by Dutch Authorities has caught the EDPS’ eye, which raised concerns with Microsoft’s Office hidden telemetry and found eight GDPR violations in Office ProPlus and Office 365. 

The Dutch investigators identified a large-scale hidden collection of personal data through Office’s built-in telemetry collection capabilities, accusing Microsoft of using this telemetry collection privately without properly informing users. It could not find any evidence of users having a way to turn this telemetry off, and no clear records of the information that was being collected.

Worryingly, it seems that actual content from users’ applications such as email subject lines and sentences from documents, where spellchecker tools were used, were being stored despite this information not being required for any functional diagnostic tools!

Following the report, Microsoft has pledged to update its ProPlus products so that they will comply with privacy regulations. No fines have been issued as of yet while Microsoft revises its practices. However, it is not only Microsoft that is under scrutiny: those outsourcing their personal data to Microsoft are also in the firing line.

EU Institutions and Microsoft

The EDPS is responsible not only for monitoring EU institutions’ compliance with data protection laws, but also for ensuring that the general public are aware of any possible risks to their freedoms with regards to processing personal data. It is a body which is becoming increasingly influential, advising on policies and legislation that affects privacy and cooperating with its similar counterparts.

Many EU institutions outsource to Microsoft to carry out a variety of their daily activities, including processing large amounts of personal data.

These EU institutions are now under scrutiny and will be required to prove that the agreements they have in place with Microsoft ensure that their arrangements are fully compliant with data protection rules. 

Regulation 2018/1725 recently introduced new rules around personal data and outsourcing for EU institutions. It brings the data protection rules applicable to large EU institutions in line with the rules set out in the GDPR for other organisations and businesses operating within the EU- seems fair, right?

Whilst contractors who have been enlisted for EU institutions to outsource activities to remain obligated to ensure compliance with the rules, EU institutions are also accountable for any data processing carried out on their behalf. These institutions should ensure that their contractual agreements with contractors ensure compliance with the GDPR, and it remains their responsibility to identify and mitigate any risks. 

This might sound similar- it is just like the obligations any data controller has with regards to their data processors

The EDPS has considered the nature, scope, context and purposes of the data processing carried out by EU institutions and the bodies that it outsources to, and has concluded that it is crucial to ensure that the appropriate contractual safeguards and risk-mitigating measures are in place to ensure compliance with the GDPR.

The EDPS launched this investigation at the beginning of April, and we await a decision on just how responsible these EU institutions will be found to be. 


In the meantime, if you have any questions on your obligations as a controller or processor, or are looking for advice on any other legal matter, please don’t hesitate to get in touch!

Article by Lily Morrison, Legal Consultant @ Gerrish Legal, June 2019