Microsoft Corp.’s contracts with European Union institutions are in breach of the EU General Data Protection Regulation, according to preliminary findings published Monday by the European Data Protection Supervisor.

GDPR, which became EU law in May 2018, regulates processing, movement and use of personal data in the EU with allowances for data transfers outside the union. While best known for its penalties when data breaches occur, it also regulates how companies handle data in general. That’s where Microsoft comes into the picture.

The EDPS launched an inquiry into Microsoft’s contracts with the EU in April with a view to considering whether the tech giant was in compliance with GDPR. “Though the investigation is still ongoing, preliminary results reveal serious concerns over the compliance of the relevant contractual terms with data protection rules and the role of Microsoft as a processor for EU institutions using its products and services,” the EDPS said in a statement.

Responding to the preliminary findings, a spokesperson for Microsoft told Reuters that “we are committed to helping our customers comply with GDPR, Regulation 2018/1725 and other applicable laws. We are in discussions with our customers in the EU institutions and will soon announce contractual changes that will address concerns such as those raised by the EDPS.”

Although the breach of GDPR appears to be due to contractual issues, the root of the issue may be in part the way Office 365 records data. In November 2018, authorities in the Netherlands claimed at Office 365 breached GDPR because of a “telemetry data collection mechanism.” That mechanism involves Office 365 collecting what was described at the time as “functional and diagnostics data that is usually a standard practice among software developers,” though it included actual content from users’ application as well.

Microsoft was at the forefront of companies attempting to be GDPR-compliant before its launch, having released data protection tools in February 2018 to assist with compliance.

The EDPS primarily findings are preliminary, not final. When the final adjudication on the matter will be forthcoming is not clear, but the inquiry is ongoing.

Image: EDPS