The never-ending saga of Microsoft's run-ins with European data protection authorities
Even before GDPR came into effect in May 2018, data protection regulators in some European countries were starting to have their doubts about whether Microsoft's flagship product, its Windows operating system, was compliant with European data protection standards.
"Following an investigation which concluded in June 2016, CNIL issued Microsoft with a formal notice to comply with French data protection regulations. CNIL also ruled that the decision should be made public, given the scale of the violations in question."No fewer than six violations of the French Data Protection Act were identified by CNIL, including continued transfer of data based on Safe Harbor principles despite the fact that the Safe Harbour Agreement had been invalidated by the CJEU in October 2015.
Microsoft was given three months – until 30 September 2016 – to end the identified violations of French Data Protection law or else face the prospect of a fine of up to €150,000.
In June 2017, it was reported that Microsoft had scaled back the volume of data it collected from Windows 10 PCs by "almost half". This led CNIL to announce that Windows 10 was no longer in breach of the country's data protection laws and that it had decided to close the case.
But that was only the first chapter in the never-ending saga of Microsoft's run-ins with European data protection authorities.
"Microsoft was given three months – until 30 September 2016 – to end the identified violations of French Data Protection law or else face the prospect of a fine of up to €150,000."A few months later in October 2017, it was reported that the Dutch data protection authority (Autoriteit Persoonsgegevens) had come to the conclusion that Microsoft was in breach of Dutch data protection law due to the way it processed the personal data of Windows 10 users.
According to the Dutch data watchdog, Microsoft made it impossible for users to give their valid consent to their personal data being processed due to the multiple ways in which that data might subsequently be used.
The Dutch regulator noted that Microsoft had promised to end its "violations", but warned that a failure to do so could lead it to impose a sanction.
After some back and forth with the regulator, Microsoft submitted a revised version of its software in April 2018. However, in the course of testing the revised version the Dutch agency found fresh grounds for concern, discovering what it called in a press release "new, potentially unlawful, instances of personal data processing".
"After some back and forth with the regulator, Microsoft submitted a revised version of its software in April 2018. However, in the course of testing the revised version the Dutch agency found fresh grounds for concern, discovering what it called in a press release "new, potentially unlawful, instances of personal data processing"."In the meantime GDPR had entered into force, and this led the Dutch data protection authority to refer its concerns to the competent lead EU privacy regulator under the new regulations. This was the national data protection authority where Microsoft's regional HQ for the EU is located, namely the Irish Data Protection Commission.
And so the seriously under-resourced Irish DPC added the Microsoft GDPR non-compliance case to an already long list of files concerning the cross-border data processing activities of multiple tech giants which had accumulated on its docket since the GDPR came into force in May 2018.
According to the most recently available reports from May 2020 the Microsoft case is still pending before the Irish Data Protection Commission.
The situation in the Netherlands became even hotter for Microsoft with the decision of the Dutch Ministry of Justice and Security in 2018 to commission a Data Protection Impact Assessment (DPIA) to be carried out on a range of Microsoft products, including Office 365.
"The situation in the Netherlands became even hotter for Microsoft with the decision of the Dutch Ministry of Justice and Security in 2018 to commission a Data Protection Impact Assessment (DPIA) to be carried out on a range of Microsoft products, including Office 365."The DPIA was commissioned because this was a clear-cut case of data processing on a large scale (by 300,000 government employees) which involved personal data, including data that could be potentially used to track the activities of employees.
The aim of the exercise was to assess the extent to which Microsoft's Office Online and the Mobile Office Apps could be deployed in a GDPR-compliant manner by Dutch government organisations.
The scope of the investigation included the five most commonly used Office 365 applications – Word, PowerPoint, Outlook, Excel and Microsoft Teams – in Office Online and the Mobile Office apps, in combination with the use of cloud storage services.
The final report [PDF], which was published in November 2018, identified a number of serious data protection risks, in particular the following:
● Loss of control over the use of personal data;
● Loss of confidentiality;
● Inability to exercise rights;
● Re-identification of pseudonymised data;
● Unlawful (further) processing.
It was noted that effective risk mitigation was outside of the users' control and could only be carried out by Microsoft.
"It was noted that effective risk mitigation was outside of the users' control and could only be carried out by Microsoft."The investigation found an unacceptable lack of control by users over the processing of personal data by Office 365 mobile applications. Because of this government organisations were advised to create policies for their employees stating that they were not to use mobile Office 365 applications.
As we shall see in the next part, the investigation by the Dutch authorities into the GDPR-compliance of Microsoft products prompted the European Data Protection Supervisor to announce its own investigation into Microsoft products used by EU institutions. ⬆