Microsoft is rolling out new privacy provisions in its Online Services Terms (OST) contracts for all commercial customers after European privacy regulators began investigating it over potential violations of the EU's General Data Protection Regulation (GDPR).
The European Data Protection Supervisor (EDPS) last month said it had "serious concerns" over Microsoft's contracts with European institutions and compliance with GDPR rules.
It kicked off an investigation in April after the Dutch Ministry of Justice found that telemetry data Microsoft collected from Office 365 ProPlus and Office 365 users violated GDPR.
SEE: IT pro's guide to GDPR compliance (free PDF)
However, EDPS in October also noted that a new agreement between Microsoft and the Dutch Ministry of Justice (MoJ) for contractual and technical safeguards and measures to mitigate risks to individuals was a "positive step forward".
The new OST reflect the contractual changes Microsoft developed with the Dutch MoJ, according to Julie Brill, Microsoft's chief privacy officer and corporate vice president for global privacy and regulatory affairs.
The step could appease EDPS, whose investigation into Microsoft's cloud contracts is still ongoing.
The new OST should provide customers with more transparency about data processing in the Microsoft cloud. The changes appear to be designed to describe more specifically how Microsoft uses a subset of data it collects.
Besides ensuring Microsoft complies with EU privacy laws, the EDPS and the Dutch MoJ set up The Hague Forum in August "to discuss both how to take back control over the IT services and products offered by the big IT service providers and the need to collectively create standard contracts".
Microsoft's new contractual terms are being offered not just to EU institutions but globally to all commercial customers in the public and private sectors, regardless of the organization size. Microsoft plans to offer all commercial customers the new contractual terms from the beginning of 2020, according to Brill.
Under GDPR, Microsoft is a data processor for its customers and it collects and uses personal data from its online services.
Brill said the new contract terms will increase Microsoft's data-protection responsibilities "for a subset of processing that Microsoft engages in when we provide enterprise services".
"[W]e will clarify that Microsoft assumes the role of data controller when we process data for specified administrative and operational purposes incident to providing the cloud services covered by this contractual framework, such as Azure, Office 365, Dynamics, and Intune," she wrote.
"This subset of data processing serves administrative or operational purposes such as account management; financial reporting; combating cyberattacks on any Microsoft product or service; and complying with our legal obligations."
The additional detail about Microsoft as a data controller is meant to give customers further clarity about how it uses data. It also supports Microsoft's commitment to be accountable under GDPR.
Brill added that "Microsoft will remain the data processor for providing the services, improving and addressing bugs or other issues related to the service, ensuring security of the services, and keeping the services up to date."