The European Data Protection Supervisor has expressed serious concerns about Microsoft’s contractual agreements with the EU’s institutions, saying they fail to fully comply with the bloc’s GDPR, the EU’s data protection legislation.

Microsoft has already taken action to improve its GDPR compliance by opening European data centres for the handling of local data and offering new options for telemetry data.

“We are in discussions with our customers in the EU institutions and will soon announce contractual changes that will address concerns such as those raised by the EDPS,” a Microsoft’s spokesman announced.

The GDPR Rules that replaced the Data Protection Directive were introduced in 2018 to harmonise data privacy law across Europe as a way to better protect citizens’ privacy and to reshape the way organisations across Europe approach data privacy.

Microsoft’s data collection practices were first probed by the Netherlands’ Ministry of Justice and Security which looked into the impact of Windows telemetry settings on what data is sent to Microsoft and whether this data is processed in the EU or the US.

In July, the Dutch government published a memo indicating that Microsoft had largely resolved certain issues related to Office mobile apps and Office 365, none of which met the GDPR requirements.

“Microsoft has now made the most urgent changes in accordance with the improvement plan. These were tested by SLM Microsoft Rijk in June 2019 and found to be in order,” the Dutch government said following its enquiry. This then led the European Data Protection Supervisor to issue its own statement saying, “The EDPS is of the opinion that such solutions should be extended not only to all public and private bodies in the EU, which is our short-term expectation.”

Though Microsoft has made a series of changes that, the EDPS has said that the corrections should be extended to all EU contracts.

“Until Microsoft takes measures to mitigate these risks, government organisations should refrain from using Office Online and the mobile Office apps included in Office 365 licence,” said the EDPS.

Following the Netherlands’ investigation, the EDPS and the Dutch Ministry of Justice and Security established the Hague Forum, which is aimed at gaining control over the IT services and products offered by major service providers and creating standard, across-the-board contracts rather than the terms and conditions and big IT companies.

“We expect that the creation of The Hague Forum and the results of our investigation will help improve the data protection compliance of all EU institutions, but we are also committed to driving positive change outside the EU institutions, in order to ensure maximum benefit for as many people as possible,” said assistant European data protection supervisor Wojciech Wiewiorowski.