Microsoft has rolled out a new version of its Online Services Terms in response to gripes raised by the Dutch Ministry of Justice over telemetry data that Microsoft collected from Office 365 Plus and Office 365 users.
The Dutch MoJ accused Microsoft of violating the EU’s General Data Protection Regulation (GDPR), triggering an investigation by the European Data Protection Supervisor (EDPS), which said it had “serious concerns” with Microsoft’s contracts.
Microsoft announced in November it would update its cloud contracts globally for enterprise and smaller business customers to account for changes demanded by EDPS and the Dutch MoJ.
Customers are now free to wade through two Microsoft terms documents: the 159-page Microsoft Volume Licensing Product Terms; and the 40-page Microsoft Online Services Terms (OST). Microsoft provides a link to the documents in a new blogpost.
The new OST incorporate contractual changes Microsoft developed with the Dutch MoJ, said Julie Brill, Microsoft’s chief privacy officer and corporate vice president for global privacy and regulatory affairs, in November.
Microsoft outlines several changes to the OST under its “clarifications and summary of changes” in the new document. There are no significant changes listed in the Product Terms document.
According to Microsoft, data-protection terms, standard contractual clauses, and EU GDPR details have been removed from the OST document. These now live in a separate document called the Online Services Data Protection Addendum (DPA), which is available online.
“The OST/DPA update replaces the previous OST language authorizing Microsoft to process Customer Data ‘only to provide Customer the Online Services including purposes compatible with providing those services’ with more specific instructions and limitations,” Microsoft says in the new OST.
One of the key changes to the OST update is that it doesn’t authorize Microsoft to process customer or personal data for the purpose of “profiling, advertising or similar commercial purposes, or market research” unless the customer explicitly allows it.
The four “high-level” changes that Microsoft notes are that the document:
- Allows Microsoft to process Customer Data and Personal Data as a processor for three authorized purposes: delivering the services, troubleshooting, and ongoing improvement.
- Excludes processing of Customer Data and Personal Data for the purpose of profiling, advertising or similar commercial purposes, or market research unless it is done in accordance with documented instructions from the customer.
- Clarifies that Microsoft has the responsibilities of a data controller if it processes Customer Data and Personal Data for certain additional listed “legitimate business operations,” with specific limitations.
- Adds clarity and additional details based on customer feedback (eg, around how Customers can engage with Microsoft to audit Microsoft’s data processing pursuant to the GDPR).
At the time of announcing the OST changes, Brill said Microsoft “will increase our data protection responsibilities for a subset of processing that Microsoft engages in when we provide enterprise services”.
The OST update would “clarify that Microsoft assumes the role of data controller when we process data for specified administrative and operational purposes incident to providing the cloud services covered by this contractual framework, such as Azure, Office 365, Dynamics and Intune”.
“This subset of data processing serves administrative or operational purposes such as account management; financial reporting; combating cyberattacks on any Microsoft product or service; and complying with our legal obligations,” she added.
The Online Services Terms DPA covers ownership issues related to processed data, processing personal data under GDPR rules, breach notifications, legal issues around transferring data between countries, data retention, disclosure and compliance with law-enforcement requests for data, HIPAA regulations, and the new California Consumer Privacy Act (CCPA). Microsoft is applying CCPA rules to all US users.
For law-enforcement requests to data stored on Microsoft servers, the company promises not to disclose processed data unless required by law.
“If law enforcement contacts Microsoft with a demand for Processed Data, Microsoft will attempt to redirect the law-enforcement agency to request that data directly from Customer. If compelled to disclose Processed Data to law enforcement, Microsoft will promptly notify Customer and provide a copy of the demand unless legally prohibited from doing so,” Microsoft states.