back to article Euro data watchdog has 'serious concerns' as to whether EU deals with Microsoft obey GDPR

The European Data Protection Supervisor (EDPS) has expressed "serious concerns" over whether the contractual terms of agreements between EU institutions and Microsoft, for use of products such as Windows and Office 365, is compliant with data protection rules. The statement is the preliminary result of an ongoing investigation …

  1. Doctor Syntax Silver badge

    if the Timeline is disabled and telemetry set to the lowest level, there are "no high data protection risks resulting from the diagnostic data collection in Windows 10". My emphasis.

    Hmmm. Does this mean "We know there are still some risks" or "There could still be risks but we haven't found them if there are"?

    1. Joe W Silver badge

      Having not followed the discussion at my workplace I am not sure. They do have similar concerns, so I guess "we all know there are some risks, but they are not high" would be the correct reading. Remembering the discussions on this website many would agree on the risks being present, though the severeness can be debated.

      1. Doctor Syntax Silver badge

        The issue is do you mitigate the worst risks, which seems to be the solution they're looking at, or do you eliminate them?

        OK, here come the no-Linux-here naysayers but all they can claim is one sort of risk vs another. The GDPR-related risks are ultimately legal and on-going whilst the FOSS-related risks are practical ones involving training and the like and relate to change-over.

  2. Joe W Silver badge

    No, GDPR + Office 365 is a no-go

    at least as analysed by our company - there are other issues as well, pertaining to control over our data. It's still a MS shop, at least concerning the desktops, and that is unlikely to change (though production is mostly *nix)

    1. Anonymous Coward
      Anonymous Coward

      Re: No, GDPR + Office 365 is a no-go

      How interesting. Since my company is now using Office 365 all round, I've recently started received some weird work analytics emails from Microsoft.

      Just sent a request as to what personal information exactly is sent, because I sure didn't agree to nor even was made aware of my "work pattern" being analyzed.

    2. Anonymous Coward
      Anonymous Coward

      Re: No, GDPR + Office 365 is a no-go

      Before we sold up, I refused to let our business PCs be updated to Win 10 as I was concerned it broke UK data protection laws; I also nixed a pupil tracking system as it kept all of the data on US servers - also breaking GDPR and other data protection laws.

      I raised this with the headmasters of the schools locally that were using this software; they all kept using it as did the new owners of the business, as soon as the sale was complete.

      I have seen NOTHING since that convinces me it is a safe system and complies with GDPR, or the previous date protection laws in the UK.

  3. Pascal Monett Silver badge

    "unlikely to discover all the nuances and implications of the various data flows"

    In other words, there is no way to be sure that GDPR can be respected.

    That said, the only possible conclusion is that Window 1 0 and Office 365 should not be used if privacy is your concern.

    Funnily enough, the report does not come to that conclusion.

  4. DDearborn

    Hmmm

    When does wilful failure to abide by written agreements with governments, and consumers for that matter, regarding unauthorized end user data use, not to mention security, cease to be a contractual breach, and start becoming a deceptive business practice and National Security issue thereby constituting criminal acts? People, Microsoft, Google, Facebook etc., breached that point a long ago. It is time to start revoking corporate charters and arresting officers and controlling stock holders of these companies for conducting espionage and carrying out sedition against the government.

  5. Graham Cobb

    Employees, or the public?

    The article seems to suggest that the reports are mostly about protecting data of government employees. Or is that a wrong assumption?

    Certainly an important first step is to look at the data of the system users -- government employees -- given the number of them. It also provides some leadership, and possibly some changes to supplier policies, that can be very useful for other employers (I know that my employer, for example, has concerns about employee privacy when mandating business use of cloud and mobile apps).

    What is not clear is whether the reports have looked at the privacy of the data being processed which, by the nature of government, contains masses of private data about people. Whether it is a spreadsheet of people asking a local government to supply a cleaner for a disabled person, or the country's income tax system, it is essential that none of that data finds its way to the vendor for "diagnostics" or "performance analysis".

  6. Anonymous Coward
    Anonymous Coward

    ""in order to prevent continued vendor lock-in, government organisations are advised to conduct a pilot with alternative open-source productivity software""

    There isn't any that's functionally equivalent. And what there is also doesn't run the same macros and add-ins making any trasition in a large organisation effectively impossible.

    1. Anonymous Coward
      Anonymous Coward

      Functional equivalence does not necessarily mean "ticks every box," it can just as easily be taken to mean "allows people to do the same tasks"

      What I mean is, there's a heckuvalot of folk who don't have the same functions in their online email account as they'd have using Outlook 2010, and they all seem to be getting along just fine

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2019