A study commissioned by the Dutch government last year found that Microsoft was violating the EU’s General Data Protection Regulation as it failed to disclose fully how it collects and uses data on users of cloud products such as Office and sends this to the US for processing. The company agreed to rectify the problems and subject itself to audits on its privacy practices. New tools for customers to control which data Microsoft collects started rolling out in April.
The European Data Protection Supervisor also launched an investigation in April after it found EU institutions using Microsoft services may be subject to similar problems. The EDPS said the solutions agreed with the Dutch government should be extended to all Microsoft users.
Microsoft has now agreed to do so, saying the changes will apply to all customers, whether in the private or public sector, small or large organisations, around the world. The main change in Microsoft’s policy is clarifying that it may also collect and process customer data “for specified administrative and operational purposes” in its cloud services such as Azure, Office 365, Dynamics and Intune. This data processing serves purposes such as account management, financial reporting, combatting cyberattacks on Microsoft products or services and complying with legal obligations, the company said.
This makes the company accountable as a data processor under the GDPR also for this type of data, increasing its disclosure obligations and allowing greater control for customers in whether and how the company may use the data. Microsoft already assumed the obligations for processing other forms of data, for example for addressing bugs or other issues related to the service, ensuring security of the services, and keeping the services up to date.
The changes have started rolling out and should be available on a broad scale from early 2020, Microsoft said.