nobeastsofierce - Fotolia

Microsoft increases data protection for enterprises following Dutch MoJ audit

Last year’s audit by the Dutch Ministry of Justice and Security got the attention of the European Data Protection Supervisor. Now Microsoft has reacted

Microsoft has made privacy changes related to Office 365 following an audit 12 months ago for the Dutch justice ministry, which raised concerns over data leaks.

As Computer Weekly has previously reported, an audit conducted by Privacy Company for the Dutch Ministry of Justice and Security recommended disabling any settings in Microsoft Office 2016 that send data to Microsoft servers.

A report on Reuters in August 2019 noted that tests carried out by the Dutch Data Protection Authority (DPA) revealed that Microsoft was remotely collecting data from users. “As a result, Microsoft is still potentially in breach of privacy rules,” the DPA told Reuters.

In July 2019, the Dutch Ministry of Justice and Security approved measures taken by Microsoft to address the concerns raised in November 2018. On the technical side, feedback from the Dutch justice ministry and others led Microsoft to roll out a number of new privacy tools across its major services and make specific changes to Office 365 ProPlus, as well as increased transparency regarding use of diagnostic data. 

Microsoft has now made an update to the privacy provisions in the Microsoft Online Services Terms (OST) in its commercial cloud. According to Julie Brill, corporate vice-president for global privacy and regulatory affairs and chief privacy officer at Microsoft, the updated OST reflects the contractual changes Microsoft developed with the Dutch ministry. 

“Our updated OST will reflect contractual changes we have developed with one of our public sector customers, the Dutch Ministry of Justice and Security (Dutch MoJ). The changes we are making will provide more transparency for our customers over data processing in the Microsoft cloud,” Brill wrote in a blog post.

“The only substantive differences in the updated terms relate to customer-specific changes requested by the Dutch MoJ, which had to be adapted for the broader global customer base. The work to provide our updated OST has already begun. We anticipate being able to offer the new contract provisions to all public sector and enterprise customers globally at the beginning of 2020,” she wrote.

Brill said that under the European Union’s (EU) General Data Protection Regulation (GDPR), Microsoft is recognised as a data processor, since the company collects and uses personal data from its enterprise services to provide online services requested by customers and for the purposes instructed by customers. Brill said this level of data stewardship has now been extended to enterprise services.

“The agreement reached between the Dutch Ministry of Justice and Security and Microsoft on appropriate contractual and technical safeguards and measures to mitigate risks to individuals is a positive step forward”
Wojciech Wiewiórowski, European Data Protection Supervisor

Microsoft may have needed to make the change as a result of intervention from the European Data Protection Supervisor (EDPS). In October 2019, the EDPS requested that Microsoft offer contractual changes such as those negotiated with the Dutch justice ministry to its customers in EU institutions.

At the time, Wojciech Wiewiórowski, assistant supervisor at the EDPS, said: “We are committed to driving positive change outside the EU institutions to ensure maximum benefit for as many people as possible. The agreement reached between the Dutch Ministry of Justice and Security and Microsoft on appropriate contractual and technical safeguards and measures to mitigate risks to individuals is a positive step forward.”

The EDPS said it recognised that EU institutions outsource the processing of large amounts of personal data, but highlighted that EU institutions still remain accountable for any processing activities carried out on their behalf. The EDPS said EU institutions must assess these risks, and have appropriate contractual and technical safeguards in place to mitigate them. It recommended that all data controllers operating within the European Economic Area adopt similar contractual and technical safeguards.

“Through the OST update we are announcing today we will increase our data protection responsibilities for a subset of processing that Microsoft engages in when we provide enterprise services,” Brill wrote in the blog post.

“In the OST update, we will clarify that Microsoft assumes the role of data controller when we process data for specified administrative and operational purposes incident to providing the cloud services covered by this contractual framework, such as Azure, Office 365, Dynamics and Intune. This subset of data processing serves administrative or operational purposes.”

Read more about cloud data privacy

  • Data confidentiality in cloud computing is a major enterprise concern, yet providers are often lacking in their details. Here are the questions to ask before adopting a service.
  • Data privacy is always a top priority for enterprise IT teams. And those with a multicloud model should adopt a mix of security techniques – from erasure coding to encryption.

Read more on IT governance

Data Center
Data Management