At Microsoft, we have a commitment to provide robust data privacy protection for every individual, and we believe stronger privacy protections through greater transparency and accountability should benefit our customers everywhere. This starts with making sure our customers get meaningful choices about how and why data is used, and ensuring that they have the information needed to make the choices that are right for them across our products and services.
Today we’re sharing updates we’ve made to Microsoft’s Online Services Data Protection Addendum, or DPA, for all enterprise customers. The DPA is a document that lays out our respective obligations around data processing and security in connection with Microsoft online services.
Customer obsession is part of our culture and as we’ve discussed in the past, we routinely listen to our enterprise and public sector customers and make updates to the ways we manage their data based on their feedback and the evolving regulatory landscape. We value privacy deeply and always work to meet or exceed our customers’ expectations. We believe stronger privacy protections through greater transparency and accountability should benefit our customers everywhere, which is why, for example, we voluntarily extended the core rights in the European Union’s General Data Protection Regulation (GDPR) to our global customer base.
The updates we made today fall into four categories.
Greater Assurances
We’ve heard from customers that they want more granular choices over what features in our products they use or don’t use, and they want their data to be governed only by the terms necessary for what they choose to use. The updates to the DPA give customers greater assurance that when new product capabilities subject to different terms are available, customers have the choice to opt to not use those capabilities. Such decisions will not diminish the overall ability for the product to function, nor will it make customers subject to any new terms of the DPA corresponding with those unselected capabilities.
Greater Transparency
We continually seek to give customers greater transparency about how we handle the data they entrust with us so that they can make more informed decisions about the products and features they use and how they use them. Today’s updates include specific language about the steps we already take to encrypt customer data and the steps we already take to restrict access to that data within Microsoft. The updates also give greater clarity and reassurance about the relationship between the DPA and other privacy-related documents like our Online Service Terms, which incorporates the DPA.
Process Improvements
We are always looking for ways to improve the processes by which we keep customers informed. The updates in the DPA include several improvements to our processes focused on better serving our customers. The most significant of these improvements is lengthening the customer notification period before a new subprocessor is engaged. Like other large technology companies, we use subprocessors to provide certain limited or ancillary services on our behalf. Of course, Microsoft remains responsible for its subprocessors’ compliance with Microsoft’s obligations under the DPA.
Clearer Accountability
As technology evolves, we recognize the importance of keeping our commitments, like the DPA, updated. The updates we made today add clarity to our respective responsibilities related to biometric data as defined by the GDPR, which include facial images and fingerprint data.
Many of the updates we’ve made here are based on productive conversations we’ve had with customers over the past few months, including the European Commission as our customer. We value the Commission’s input, as well as the input of its data protection authority, the European Data Protection Supervisor. These conversations helped us think about areas we can continue to improve to best serve the EU institutions and well as our broader enterprise customer community. The updates we are announcing today will benefit all of our customers around the world and not just those in the EU.
We look forward to continuing conversations with our customers and continuing to evolve how we serve customers while working hard to protect their data, keep them informed, and offer them more choices.