Microsoft has announced changes that will reserve themselves more responsibility and risk. European Union data protection authorities raised concerns with Microsoft’s data protection measures and led to Microsoft changing their commercial contracts related to their cloud services.
The new contractual provisions, which will take effect at the beginning of 2020, comes at the heels of Europe’s data protection supervisor warned Microsoft that its cloud services contractual terms may be in violation of the GDPR. An investigation was launched after the Dutch Ministry of Justice found that Microsoft’s data collection practices for Office 365 ProPlus and Office 365 users violated GDPR.
The GDPR regulates the processing, using, storing, or sharing of European citizen’s personal data. GDPR grants European citizens the “right to be forgotten” which means that in certain circumstances, their personal details can be removed from an entity’s database. GDPR has shown the potential to have a significant impact on both parties to a cloud computing contract, particularly the cloud service providers and businesses that leverage cloud services. Failing to comply with the GDPR can lead to fines up to the greater of €20 million or four percent of global turnover. Cloud service providers handling the data of a European citizen must adhere to the GDPR regardless of where they are located.
Regulators concern for cloud computing is merited as it presents many challenges to privacy. The cloud can store almost any type of information and there is significant risk associated with uncontrolled distribution of this information to third-parties. Further, entities that utilize cloud service providers expect that the obligations made to their own customers will be maintained by the cloud service provider. Therefore, tailored contracts that incorporate commitments, and delineate the controller and processor relationship are vital. This makes Microsoft’s shift significant.
The GDPR makes certain cloud contract considerations mandatory, including representations made from the data controller to its cloud processor providing more information on their processing of personal data. Cloud contracts should also include clear controller instructions about data security expections to the cloud service provider, including procedures to follow in case of a data incident. These cloud contracts need to delineate if, when and how a processor can engage another processor, and call out confidentiality terms.
Microsoft’s changes represent an opportunity for business customers of cloud service providers. The contractual changes made by Microsoft include accepting greater processing responsibilities for their enterprise services, such as account management and financial reporting. Microsoft will assume the role of data controller when processing data for specified administrative and operational purposes incident to Azure, Office 365, Dynamics and Intune. Which is a marked change from their existing designation as a data processor for these functions related to their commercial cloud services.
This new designation requires Microsoft to accept Article 5 GDPR responsibilities including the obligation of maintaining lawfulness, fairness and security of personal information. Microsoft will be moving closer to Amazon’s AWS model, where they deem themselves the Data Controller over personal data collected for account registration, administration, services access, and contact information. European regulators appear to be aggressive in pursuing more control over the IT services and products offered by large information technology service providers and are pursuing the creation of more standard contracts. Given this reality – business customers are in a position to make sure the contractual considerations properly allocate responsibility to the cloud service provider.