Microsoft clarifies cloud service privacy, is it enough?

Microsoft has updated their Online Services Terms to clarify some privacy issues but concerns remain. They’ve also added yet another document to the confusing mix of legalese customers are expected to understand.

Back in August 2019 the Dutch Ministry of Justice released a report that recommended against using Office online or Office apps because Microsoft was sending user data to a US marketing company.

Microsoft appears to be reacting in a typically Microsoft way; by changing their Terms and online wording. The Online Service Terms (OST) have been changed.

This is a classic Microsoft reaction; changing the public wording and terms rather than change what they do.  It’s similar to Redmond’s response to listening on Skype calls which was to continue transcribing customers audio and just change some web site phrases.

It’s a 40-page document with a summary of the changes:

“ The OST/DPA update replaces the previous OST language authorizing Microsoft to process Customer Data “only to provide Customer the Online Services including purposes compatible with providing those services” with more specific instructions and limitations. At a high level, the OST/DPA update:

  • Allows Microsoft to process Customer Data and Personal Data as a processor for three authorized purposes: delivering the services, troubleshooting, and ongoing improvement.

  • Excludes processing of Customer Data and Personal Data for the purpose of profiling, advertising or similar commercial purposes, or market research unless it is done in accordance with documented instructions from the customer.

  • Clarifies that Microsoft has the responsibilities of a data controller if it processes Customer Data and Personal Data for certain additional listed “legitimate business operations,” with specific limitations.

  • Adds clarity and additional details based on customer feedback (e.g., around how Customers can engage with Microsoft to audit Microsoft’s data processing pursuant to the GDPR). “

More confusing documents

Microsoft’s legal Terms have come a long way from the single EULA (End User Licence Agreement). It’s now a complicated mix of documents and addendums that’s difficult to consolidate into a single policy or conditions.

The Online Service Terms document has been split with a new document and inevitable acronym.

Introducing the separate Online Services Data Protection Addendum (DPA) which adds another 24 pages to the Online Services Terms.

“The Data Protection Terms, Standard Contractual Clauses, and European Union General Data Protection Regulation Terms have been removed from the Online Services Terms (OST) document and moved to a separate document; the Online Services Data Protection Addendum (DPA)”

The DPA applies globally, not just in the EU.  It includes references to the new California Consumer Privacy Act, HIPAA as well as the European GDPR.

Still not the whole story

Microsoft, like any company, must comply with the law and copy customer data to government agencies.  Sometimes that’s done without telling the customer and even without a court warrant.

Down on page 6 under ‘Disclosure of Processed Data’ is a paragraph that tries to avoid that important point.  We’ve highlighted the vital phrases in the Online Services Data Protection Addendum:

“Microsoft will not disclose Processed Data to law enforcement unless required by law. If law enforcement contacts Microsoft with a demand for Processed Data, Microsoft will attempt to redirect the law enforcement agency to request that data directly from Customer. If compelled to disclose Processed Data to law enforcement, Microsoft will promptly notify Customer and provide a copy of the demand unless legally prohibited from doing so.