11 November 2019

A recent update from the European Data Protection Supervisor (EDPS) on its ongoing investigation into the data protection compliance of EU institutions’ use of Microsoft products and services has suggested 'serious concerns over the compliance of the relevant contractual terms with data protection rules and the role of Microsoft as a processor'.

Although the activities of the EDPS (which is responsible for enforcing and monitoring data protection compliance for all EU institutions) relate to public bodies in the EU, the EDPS has stressed that any solutions arising from the investigation should be extended to both private bodies and individuals in the EU.

The aims of the EDPS investigation include the development of standard contracts between public administration and software developers or online service outsourcers (i.e. to replace vendor standard terms and conditions to ensure the compliance of such terms with data protection rules), meaning that the EDPS’s actions could put pressure on the even the largest IT providers to be more flexible when contracting for software and services.

Why is the EDPS investigating Microsoft contracts?

The EDPS announced that it was launching an investigation into IT contracts in April this year. This followed the publication of a data protection impact assessment (DPIA) commissioned by the Dutch Ministry of Justice and Security into the use of Microsoft Office software by Dutch authorities; the DPIA reported multiple high data protection risks where Microsoft had not agreed to mitigating measures proposed by the Ministry .

EU institutions outsource large amounts of personal data processing to third-party IT providers, including Microsoft. According to the DPIA, in the Netherlands alone, approximately 300,000 government employees work with Microsoft software on a daily basis, to send and receive e-mails, create documents and spreadsheets and prepare visual presentations.

Wojciech Wiewiórowski, Assistant EDPS, said that the contractual relationship between the EU institutions and Microsoft is under EDPS scrutiny to ensure that appropriate contractual safeguards and risk-mitigating measures are in place to comply with data protection rules.

What could this mean for IT vendors and their customers?

At this stage it is not clear to what extent the EDPS investigation will impact the current contracting practices between software and online services providers and their customers. 

The EDPS and the Dutch Ministry of Justice and Security established an EU software and cloud suppliers customer council in August this year to encourage greater customer control to set 'fair contractual terms' with IT service providers. 

Should the EDPS and the Dutch Ministry of Justice and Security succeed in their aims, we can expect that it will become more difficult for software and cloud service vendors to insist that prospective customers contract on the vendor’s standard terms and conditions. Whilst this will be a welcome development for many customers when negotiating the purchase of IT goods and services, it will present vendors with challenges to ensure negotiated contracts comply with both regulatory requirements and internal governance rules.

The EDPS has not confirmed when it expects to conclude its investigation so will we continue to monitor for further developments.

How can Burges Salmon help?

If you would like assistance with IT, outsourcing or data protection advice, please contact us.

This article was written by Ian Bond.

Key contact

A photo of David Varney

David Varney Partner

  • Data Protection and Cybersecurity
  • Technology and Communications
  • Outsourcing

Subscribe to news and insight

Burges Salmon careers

We work hard to make sure Burges Salmon is a great place to work.
Find out more