On Monday, Microsoft announced that it will be updating the privacy provisions of its commercial cloud contracts, a move that follows intense scrutiny from European regulators. The decision was prompted by findings from the European Data Protection Supervisor (EDPS), which revealed that Microsoft’s contracts with EU institutions did not fully comply with EU data protection laws.
The EDPS, which acts as the data watchdog for European Union institutions, launched an investigation back in April to evaluate whether Microsoft’s contracts with entities such as the European Commission respected the bloc’s strict data protection rules, including those established by the General Data Protection Regulation. In October, the EDPS publicly raised concerns about the contracts, particularly regarding how data is handled and protected when using Microsoft’s cloud services.
In response, Microsoft has committed to bolstering its contractual commitments around data protection. In a statement posted on its website, the company explained: “We will increase our data protection responsibilities for a subset of processing that Microsoft engages in when we provide enterprise services.” This suggests that Microsoft is prepared to take on additional obligations to ensure that any data processed on behalf of EU institutions and other enterprise clients is handled in a way that fully aligns with EU legal standards.
Microsoft’s move is significant because it positions the company as the only major cloud services provider to offer such robust contractual data protection terms within the European Economic Area (EEA) and beyond. This step could strengthen Microsoft’s reputation in Europe, particularly among public sector clients that must comply with stringent privacy regulations.
The new data protection provisions are expected to be rolled out to public sector and enterprise customers in early 2020. By proactively addressing the concerns of the EDPS, Microsoft is signaling to its European customers that it is serious about data privacy and committed to aligning its practices with the highest standards of data protection.
This development also highlights the broader challenges faced by technology companies operating in Europe, where data privacy regulations are some of the strictest in the world. The GDPR, in particular, has set a high bar for data protection, requiring companies to be transparent about how data is collected, processed, and stored, and to ensure that data subjects’ rights are fully respected.
For Microsoft, the EDPS investigation and the resulting updates to its contracts underscore the importance of adapting to local legal requirements in global markets. As cloud services become increasingly central to how organisations operate, ensuring compliance with data protection laws is not just a legal necessity but also a business imperative.
The move could also serve as a precedent for other major cloud providers. With data protection and privacy becoming ever more important to regulators and customers alike, other tech companies may find themselves under similar pressure to update their own contracts and data handling practices. Failure to do so could result in legal challenges, fines, or damage to reputation.
For EU institutions and enterprise customers, Microsoft’s updated contractual provisions could offer greater peace of mind. By clarifying data protection responsibilities and enhancing compliance with EU law, Microsoft is helping these organisations to better manage their own regulatory risks when using cloud services.
This development reflects a growing trend in the tech industry towards greater accountability and transparency in data processing. As data privacy becomes an increasingly critical concern for individuals and organisations alike, cloud providers that demonstrate a strong commitment to compliance are likely to find themselves with a competitive edge.
Microsoft’s decision to update its commercial cloud contracts following the EDPS investigation marks an important step in reinforcing data privacy in Europe. By taking on increased data protection responsibilities and adapting its contractual terms to meet EU requirements, Microsoft is not only addressing regulatory concerns but also demonstrating its willingness to lead on privacy matters in a rapidly evolving digital landscape. This proactive approach could have lasting benefits for both Microsoft and its customers as they navigate the complexities of data protection in the modern era.
Initial reporting via Reuters. Reporting by Marine Strauss. Editing by Edmund Blair.