- After receiving feedback from the Dutch Ministry of Justice — a public sector customer — Microsoft updated its commercial cloud contract terms to broaden the scope of its data privacy responsibilities, the company announced Monday.
- Under current Microsoft Online Services Terms (OST), the company fits the profile of a "data processor" according to the General Data Protection Regulations. The renewed terminology will go a step above and define Microsoft as a "data controller" when it processes user data for specific purposes, including account management, financial reporting, combating cyberattacks and complying with legal obligations.
- Elevating its privacy oversight role in these cases will offer customers more clarity about data usage, said Julie Brill, corporate VP for global privacy and regulatory affairs and chief privacy officer, in a blog post announcing the updates. The changes will be offered to public sector and enterprise customers at the beginning of 2020.
When it comes to privacy, the Microsoft playbook upholds privacy norms and expands the standards past the scope of the regulations.
In 2018, before GDPR went into effect, Microsoft announced it would extend the core part of the legislation — mainly, the Data Subject Rights standard — to customers beyond the European Union.
On Tuesday, just weeks ahead of California Consumer Privacy Act (CCPA) enactment date, Microsoft said it would expand the provisions of the law to all of its U.S. customers, even before rules were finalized.
The company also offered to help its enterprise customers comply with the state law's requirements.
Amid increased consumer interest in data privacy, there's a business case for heightening a company's profile as a privacy overseer. Customers will view these companies as more desirable business partners, said Bart Willemsen, VP analyst at Gartner, during the IT Symposium/Xpo in Orlando, Florida last month.
The continued expansion of privacy compliance from Microsoft also lays the groundwork for the possibility of a federal data privacy law. At present, just a handful of states have made strides toward state-level privacy provisions. California is the only state that has approved comprehensive privacy regulation.