The European Data Protection Supervisor (EDPS) says it has "serious concerns" over Microsoft's contracts with European Union institutions and their compliance with European data-protection laws.
EDPS, Europe's top privacy body, on Monday said recently amended contractual terms between Microsoft and the Dutch Ministry of Justice and Security showed there is "significant scope for improvements" in contracts between the world's top tech providers and all other EU public administration organizations.
The EDPS also argues that better contracts should be available to public and private-sector organizations as well as individuals in the EU.
"Though the investigation is still ongoing, preliminary results reveal serious concerns over the compliance of the relevant contractual terms with data-protection rules and the role of Microsoft as a processor for EU institutions using its products and services," the EDPS said.
SEE: IT pro's guide to GDPR compliance (free PDF)
The regulator launched its investigation into the use of Microsoft's products by EU institutions in April on the back of a probe by Dutch authorities into Microsoft Office's hidden telemetry collection, which identified eight violations of the EU's General Data Protection Regulation (GDPR) related to Office 365 ProPlus and Office 365.
GDPR came into effect in May 2018, introducing rules to give individuals more control over their personal data.
Microsoft told Reuters that it will soon announce contractual changes aimed at addressing the EDPS's concerns.
"We are committed to helping our customers comply with GDPR, Regulation 2018/1725 and other applicable laws," a Microsoft spokesman said.
"We are in discussions with our customers in the EU institutions and will soon announce contractual changes that will address concerns such as those raised by the EDPS."
EDPS and the Dutch Ministry of Justice and Security in August set up the The Hague Forum to discuss how EU organizations could take back control of technology usage and create standard IT service contracts rather than accepting the terms written by vendors.
"We expect that the creation of The Hague Forum and the results of our investigation will help improve the data-protection compliance of all EU institutions, but we are also committed to driving positive change outside the EU institutions, to ensure maximum benefit for as many people as possible," said Wojciech Wiewiórowski, assistant supervisor at the EDPS.
"The agreement reached between the Dutch Ministry of Justice and Security and Microsoft on appropriate contractual and technical safeguards and measures to mitigate risks to individuals is a positive step forward. Through The Hague Forum and by reinforcing regulatory cooperation, we aim to ensure that these safeguards and measures apply to all consumers and public authorities living and operating in the EEA."