The European Data Protection Supervisor (EDPS) has expressed "serious concerns" over whether the contractual terms of agreements between EU institutions and Microsoft, for use of products such as Windows and Office 365, is compliant with data protection rules.
The problem exists because of Microsoft's data collection practices. This was probed by the Dutch Ministry of Justice and Security, which has published the results in a series of papers. These documents are required reading for those interested in the nuances of telemetry, data collection, personalisation, and the roles of different organisations as defined in the GDPR.
The report into Windows 10 notes that where data is used to improve Windows 10 security and reliability, the interests of Microsoft and the Dutch government are aligned. But when data is used to develop new services or "detect usage of products of competitors", this "serves the commercial interests of Microsoft, while the government already pays with money for the software". The Dutch report on Office 365 is less positive, particularly with regard to Office mobile apps and Office Online, for which "five high data protection risks" are identified.
Yes changes have already been made by Microsoft but nevertheless, the Dutch agreement should serve as the example.
Dutch agreement should be extended to entire bloc, says statement