Microsoft recently released a new version of its Online Service Terms (OST), ZDNet reports.
The tech giant revamped its OST with the Dutch Minister of Justice, following accusations by the minister that Microsoft violated the European Union’s General Data Protection Regulation. Two major documents were created as a result of the legal partnership, the Microsoft Volume Licensing Product Terms, and the Microsoft Online Services Terms.
“Several changes” have been made to the OST, except in the Product Terms document, ZDNet says. High-level changes include:
- Microsoft is allowed to process customer and personal data to deliver services, troubleshoot, and for ongoing improvement.
- Customer and personal data cannot be processed to profile or advertise, nor can it be used for market research unless documented consent from the customer is obtained.
- If Microsoft processes customer data for any other “legitimate business operations,” then it takes on the responsibility of a “data controller.”
- More clarity around customer feedback has been added, such as how they might engage with the tech giant to audit its data processing pursuant to the GDPR.
Additionally, under the OST, Microsoft promises to keep processed data private unless required by law; if data is requested, Microsoft will go through the customer to obtain and share it with law enforcement.
An Interesting Addendum
While Microsoft worked directly with European government leadership on its OST, all data protection terms, standard contractual clauses, and other EU GDPR information “has been removed from the OST document.” Now, all of that info lives in a separate document called the Online Services Data Protection Addendum.
However, the addendum serves the same purpose as the other OST document: “The OST/DPA update replaces the previous OST language authorizing Microsoft to process Customer Data ‘only to provide Customer the Online Services including purposes compatible with providing those services’ with more specific instructions and limitations.”
Having multiple documents explicitly spelling out the ways a company is allowed to handle data raises questions: why couldn’t Microsoft cover data protection services in one document? Did government leadership still not trust the company enough under its initial revisions? Will there be increased supervision by government on tech companies like Microsoft moving forward? It will be interesting to see how Microsoft complies with its new OST, and if other companies will follow suit. Maybe there’s a chance the tech company will set a positive precedent for handling customer data in the new decade.