Does Microsoft Violate GDPR? European Regulator Asks Tough Questions

EU privacy regulator investigates Microsoft. Audits contracts with EU bodies for compliance.

EDPS (the European Data Protection Supervisor) wants to ensure GDPR (the General Data Protection Regulation) is being adhered to by Microsoft and its customers inside the institutions of the EU itself, such as the Parliament and the Commission. This comes after serious allegations that Microsoft Office’s telemetry features fell afoul of GDPR.

This could get expensive for Redmond. In today’s SB Blogwatch, we search under the couch cushions, in case Satya needs a hand.

Your humble blogwatcher curated these bloggy bits for your entertainment. Not to mention: the internet … iiinn spaaaaace.


What’s the craic? Catalin Cimpanu casts “EU to check for GDPR violations in Microsoft products”:

 The European Union’s data protection watchdog, has started an investigation into Microsoft’s contracts with EU institutions. [It] will focus on the way Microsoft software complies with the EU’s new data protection regulation … GDPR.

Dutch authorities started an investigation into … hidden telemetry last November. [It alleged] eight GDPR violations in Office ProPlus and Office 365. The EDPS inquiry … cited the Dutch government’s investigation as the main reason for auditing Microsoft’s contracts with EU institutions.

Also Francesco Guarascio and Foo Yun Chee emit this unfortunate headline—“EU data supervisor probes EU bodies”: [You’re fired—Ed.]

 The 28-country European Union adopted the landmark General Data Protection Regulation (GDPR) about a year ago, giving Europeans more control over their online information and privacy enforcers the power to impose hefty fines. … The EDPS can impose fines up to 50,000 euros for each infringement.

[After] Dutch concerns raised in November about the data collected … the company subsequently made some changes to comply with EU rules. … “We are committed to helping our customers comply with GDPR, Regulation 2018/1725, and other applicable laws. [We] are confident that our contractual arrangements allow customers to do so,” Microsoft said.

But NATTtrash trash-talks the MS PR spokesdroid’s efforts:

DevOps Unbound Podcast

 Well, didn’t you pass the online course “How to write standard marketing statements with common used, risk avoidant statements in 5 minutes” with flying colours!

News flash: You don’t have to help your customers to comply with GDPR. You yourself are not exempt, and have to start … with a product that is compliant … to begin with.

So what’s all that “helping our customers” spin really about? The EDPS’s Wojciech Wiewiórowski explainifies:

 New data protection rules for the EU institutions and bodies came into force on 11 December 2018. Regulation 2018/1725 introduced significant changes to the rules governing outsourcing. Contractors now have direct responsibilities when it comes to ensuring compliance.

However, when relying on third parties to provide services, the EU institutions remain accountable for any data processing carried out on their behalf. They also have a duty to ensure that any contractual arrangements respect the new rules and to identify and mitigate any risks.

It is with this in mind that the contractual relationship between the EU institutions and Microsoft is now under EDPS scrutiny.

Many scrutiny. So relationship. Such NoneSuch. Wow:

 Not being able to turn off the data slurp on Enterprise level software should be judged as illegal by the EU. That has the makings of massive law suits.

At best, it’s Microsoft trying to catch Google. At worse, it’s kibble for the NSA.

But this Anonymous Coward implies an implication (or two):

 I know of a couple of gov departments where MS has been introduced via the golf course. There’s not a chance they will even listen to objections, GDPR or not.

Let’s just say that, as far as I can tell, Microsoft’s compliance with GDPR has a couple of interesting holes in it. … Their modus operandi is to comply with the letter of the law, whilst skirting on the wrong side of … the spirit of the law.

Of course, we’re now getting equivalent regs in California and Washington. Kristina Podnar says, “No need to fear yet another data privacy regulation”:

 A particular area of fear in the past several years has come from digital privacy regulation. Leading up to May 25, 2018, it was … GDPR. This year I am seeing organization agonize over meeting the January 1, 2020 deadline to comply with the California Consumer Privacy Act (CCPA). … Organizations doing business in California must comply [with] CCPA, regardless of where they are located.

Although the GDPR and CCPA share some of the same data protection concepts, they are not the same regulation. … But don’t panic just yet thinking that you will have to pull double duty … the differences are straightforward to understand. Well, mostly.

Determine which regulations apply to you. … Others to consider are Brazil’s Lei Geral de Proteção de Dados (LGPD) which is similar to GDPR, South Africa’s Protection of Personal Information Act (POPIA) and the newest one of them all, Washington Privacy Act (WPA).

If you run afoul of the law but can demonstrate good intent, you are much likelier to merely get a slap on the wrist.

But this other Anonymous Coward is possibly a Brexiteer:

 All the EU data privacy regulations are just another EU financial shakedown of companies more successful than anything the EU can create. The EU data privacy regulations levy huge financial penalties on the victims of a crime.

Yes, the companies that get exploited are victims of a crime that propagates to those who have their data exposed in any fashion. A company could take every precaution and work diligently to maintain a secure environment and still get exploited. When this happens large penalties are assessed on the company. There is not a computer system or encryption protocol on the world that is invulnerable to attacks.

Enforcement within EFTA, EEA and EU member states remains in the hands of local regulators. For example, the ICO in the UK, which as Rebecca Hill points out, is doing an imperfect job:

 The UK’s data protection regulator has failed to follow its own advice, admitting a privacy notice for its own staffers – one of its key recommendations for GDPR compliance – remains “under construction”.

Guidance issued by the Information Commissioner’s Office … states: “Individuals have the right to be informed about the collection and use of their personal data. This is a key transparency requirement under the GDPR.”

[And] to ensure organisations are compliant … they should provide a privacy notice that sets out, among other things, the lawful basis and purposes for data processing. However, the ICO appears not to have eaten its own dog food, as it is still drafting a privacy notice for employees—almost a year after GDPR came into force.

The ICO’s PR arm … played down the admission, saying that staff had been “made aware” of its personal data processing policies. … “The ICO workforce has increased by 40 per cent in the last 12 months and this has led to multiple updates to our employee policies and procedures, which in turn need to be reflected in our employee Privacy Notice,” a spokeswoman said. … She said a “finalised” version of the employee privacy notice would be published on its website “in the coming days”.

To which, Charity Njw uncharitably quips:

 Maybe they are exercising their right to have forgotten?

And Finally:

The internet … iiinn spaaaaace

You have been reading SB Blogwatch by Richi Jennings. Richi curates the best bloggy bits, finest forums, and weirdest websites… so you don’t have to. Hatemail may be directed to @RiCHi or [email protected]. Ask your doctor before reading. Your mileage may vary. E&OE.

Image source: Le Web (cc:by)

Richi Jennings

Richi Jennings

Richi Jennings is a foolish independent industry analyst, editor, and content strategist. A former developer and marketer, he’s also written or edited for Computerworld, Microsoft, Cisco, Micro Focus, HashiCorp, Ferris Research, Osterman Research, Orthogonal Thinking, Native Trust, Elgan Media, Petri, Cyren, Agari, Webroot, HP, HPE, NetApp on Forbes and Bizarrely, his ridiculous work has even won awards from the American Society of Business Publication Editors, ABM/Jesse H. Neal, and B2B Magazine.

richi has 542 posts and counting.See all posts by richi

Integrated Security Data PulseMeter

Step 1 of 7

What percentage of your organization’s security data is integrated into a SIEM or data repository you manage? (Select one)(Required)