When the EDPS began a review of the investigation, it noted “serious concerns over the compliance of the relevant contractual terms with data-protection rules and the role of Microsoft as a processor for EU institutions using its products and services”. Microsoft vowed to change its practices at the end of 2019 and it did, but a report revealed that those changes hadn’t fully propagated to its enterprise and online services. After a short delay, the company has published its new Online Service Terms for Office 365. Crucially, the document no longer authorizes the company to process data for commercial purposes unless agreed to by the customer. It also clarifies which data the company does collect.
Not the First GDPR Violation
When GDPR was first announced, Microsoft appeared to be leading the way in compliance. It even vowed to extend the rights to all of its customers, regardless of location. Since then, it’s been largely clean, but it was also forced to change its commercial cloud provisions after an EU investigation. An optimist would say that the company has a lot of services with a lot of moving parts. With the vast changes that need to be made to suit GDPR, it wouldn’t be difficult to miss a few. Others would find the fact the company required additional prompting for its online services quite concerning. Whatever your beliefs, you can now rest knowing Office 365 Online won’t use your data commercially without your permission.