EU software deals with Microsoft under scrutiny

The investigation will assess whether contractual agreements between the EU institutions and Microsoft are compliant with data protection rules.

A new regulation introduced in December 2018 means EU bodies must comply with the same data protection rules regarding the outsourcing of data processing as other EU organisations and businesses, as set by the General Data Protection Regulation (GDPR).

The move follows the publication of a data protection impact assessment report, commissioned by the Dutch Ministry of Justice and Security, which found that data provided by and about users was being gathered through certain Microsoft applications and stored in a US database in a way that posed risks to user privacy.

Wojciech Wiewiórowski, assistant European data protection supervisor (EDPS), said: “New data protection rules for the EU institutions and bodies came into force on 11 December 2018. Contractors now have direct responsibilities when it comes to ensuring compliance.

“However, when relying on third parties to provide services, the EU institutions remain accountable for any data processing carried out on their behalf. They also have a duty to ensure that any contractual arrangements respect the new rules and to identify and mitigate any risks. It is with this in mind that the contractual relationship between the EU institutions and Microsoft is now under EDPS scrutiny.”