News & Analysis

Microsoft’s Buckling to EU Augurs Well for India

How the mighty fall when faced with hard-nosed process watchdogs who refuse to budge an inch from their masters’ policy guidelines! The European Union’s General Data Protection Regulation (GDPR) that came into existence last year is governing the technology firmament with an iron-fist-in-iron-glove format causing even the biggest of players to keel over and accede.

The latest to do so is Microsoft which announced that it was amending its privacy policies on commercial cloud computing contracts in the EU region following the investigations by the European Data Protection Supervisor (EDPS) in April had raised concerns over the contracts not being compliant with the GDPR.

Microsoft’s decision to change its Online Terms in the EU were announced by chief privacy officer Julie Brill via a blog post who claimed that it was based on “additional feedback we’ve heard from our customers” that the company decided to change the policies.

Our updated OST will reflect contractual changes we have developed with one of our public sector customers, the Dutch Ministry of Justice and Security (Dutch MoJ). The changes we are making will provide more transparency for our customers over data processing in the Microsoft cloud, she said on the blog post adding that Microsoft was at present the only major cloud provider to offer such terms in the European Economic Area and beyond.

The official further clarified that in anticipation of the GDPR, Microsoft had designed most of its enterprise services as services where the company would act as a data processor for its customers, ensuring that it took all necessary steps to comply with the new data protection laws in Europe.

In the same blog post, Jule Brill also confirmed that Microsoft would be updating its privacy policies on a global basis, across both public and private sectors.

This reaction from Microsoft could be directly ascribed to Europe’s data protection supervisor’s warnings that their probe into contractual terms of Microsoft’s cloud services had raised serious concerns about compliance with EU data protection laws and that the role of the tech major as a data processor for organizations in the European Union would be in question.

Through this announcement Microsoft has accepted an enhanced role as data controller from that of a  processor of data for the operations linked to the provision of commercial cloud services such as the Azure platform. Under the GDPR framework, data controllers have larger obligations around handling personal data whereby lawfulness, fairness and data security is added to their brief, making it a far greater legal risk should there be a failure on their part.

At a time when Parliament is scheduled to debate data protection laws in India, this move from Microsoft in response to the tough guidelines from the EU should be music to the ears for those who have been at the forefront of data protection.

It was in July last year that the Justice Sri Krishna Committee submitted the draft Bill to the Ministry of Electronics and Information Technology after consulting with all stakeholders and on the back of the GDPR that came into force in Europe last May. The Personal Data Protection Bill, 2019 is critical for India as till date there is no law to regulate data protection and ensure data privacy.

The Sri Krishna panel had recommended that any person processing personal data owes a duty to the data principal to process such personal data in a fair and reasonable manner that respects the privacy of the data principal. It also proposed that such data be processed only for the purposes that are clear, specific and lawful and that it be done so only for the purpose it was collected.

The draft Bill also discusses the right to restrict or prevent continuing disclosure of personal data by the company or any others associated with it. It says the data principal would have the right to prevent disclosure once it has served the purpose for which it was made or was made on the basis of consent or was made contrary to the provisions of this Act or any other law passes in the legislatures.

The committee also suggested that data localization be made mandatory so that every fiduciary keeps a copy of the data they collected on a server or data centre located in India. Overall, the recommendations in the Bill were loosely based around the GDPR and should stand India in good stead, especially in the wake of data privacy challenges that most of the big tech firms such as Google and Facebook are facing in their home country.

Leave a Response