Microsoft gives cloud customers greater control over personal data after EU concerns

Microsoft has announced changes to its privacy policy for customers using online services, following concerns from the Dutch government over disclosure of how it handles customer data. The company said that following feedback from the Dutch justice ministry, it will implement the changes worldwide for Microsoft commercial cloud customers, giving customers greater control over how the company collects personal data. 

study commissioned by the Dutch government last year found that Microsoft was violating the EU’s General Data Protection Regulation as it failed to disclose fully how it collects and uses data on users of cloud products such as Office and sends this to the US for processing. The company agreed to rectify the problems and subject itself to audits on its privacy practices. New tools for customers to control which data Microsoft collects started rolling out in April. 

The European Data Protection Supervisor also launched an investigation in April after it found EU institutions using Microsoft services may be subject to similar problems. The EDPS said the solutions agreed with the Dutch government should be extended to all Microsoft users

Microsoft has now agreed to do so, saying the changes will apply to all customers, whether in the private or public sector, small or large organisations, around the world. The main change in Microsoft’s policy is clarifying that it may also collect and process customer data “for specified administrative and operational purposes” in its cloud services such as Azure, Office 365, Dynamics and Intune. This data processing serves purposes such as account management, financial reporting, combatting cyberattacks on Microsoft products or services and complying with legal obligations, the company said. 

This makes the company accountable as a data processor under the GDPR also for this type of data, increasing its disclosure obligations and allowing greater control for customers in whether and how the company may use the data. Microsoft already assumed the obligations for processing other forms of data, for example for addressing bugs or other issues related to the service, ensuring security of the services, and keeping the services up to date. 

The changes have started rolling out and should be available on a broad scale from early 2020, Microsoft said.