How Detailed Should Your Data Processing Agreements Be?

The EDPS’s recently published decision on its investigation into the European Commission’s use of Microsoft 365 provides organisations with a potentially concerning insight into how key obligations under European data protection law are being interpreted, at least by the EDPS. It would be easy to overlook this decision, since the EDPS’s competence as a data protection authority covers EU institutions only. However, if other EU data protection authorities adopt a similar approach, then many organisations are likely to find that their own GDPR compliance measures, and particularly contractual arrangements between controllers and processors, do not meet the demanding standards envisaged by the EDPS.

This decision considers whether the European Commission’s contractual arrangements with Microsoft regarding the Commission and other EU institution’s use of Microsoft 365 comply with applicable requirements as set out in Regulation (EU) 2018/1725. This is the EU data protection law which is similar to the GDPR and applies specifically to EU institutions. Some aspects of this decision relate to provisions of Regulation (EU) 2018/1725 which are uniquely applicable to the Commission and other EU institutions. However most of it relates to requirements that substantially replicate provisions of the GDPR (and is therefore relevant to the GDPR, if EU data protection authorities would be inclined to adopt the same approach as the EDPS).

 Most of the commentary regarding this decision focuses on findings made by the EDPS regarding the Commission’s failure to comply with its obligations in relation to transfers of personal data outside the European Economic Area, particularly to the United States before the EU-US Data Privacy Framework became applicable.  However findings made in relation to the equivalent of Article 28 of the GDPR (regarding the contractual arrangements between the Commission, as the controller, and Microsoft, as a processor) are equally if not more noteworthy. The EDPS decided that these contractual arrangements did not contain enough detail regarding:

• the types of personal data being processed; 
• the specific purposes for which each type of personal data were processed; and 
• the Commission’s instructions regarding Microsoft’s processing

to be compliant.

The EDPS cited the EDPB’s commentary on the level of detail required to be included in a contract between a controller and a processor under Article 28, as set out in EDPB Guidelines 07/2020 on the concepts of controller and processor in the GDPR, extensively in its decision. In particular, it focused on the EDPB’s comment that in connection with the type of personal data being processed under a contract “this should be specified in the most detailed manner as possible”.  Despite this guidance, it is not common practice for organisations to specify the type of personal data being processed “in the most detailed manner as possible” due to the practical challenges this would entail. Many organisations routinely do not go into the level of detail the EDPS determined ought to have been present in the Commission’s contract with Microsoft. 

Similarly, the EDPS also considered the level of detail provided regarding the purposes of processing to be deficient. In the context of the rapid development in the use of AI, it is notable that the EDPS observed that Microsoft used artificial intelligence in the context of providing its services and stated as follows:

“The use of artificial intelligence, while potentially improving the service provided, inherently poses potentially high risks to data subjects.  Depending on the circumstances regarding its specific application and use, artificial intelligence may generate (high) risks and cause harm, material or immaterial, to public interests and rights that are protected by Union law. The use of data analytics may also pose potentially high risks to data subjects, in particular where it is based on combining extensive datasets covering individuals’ use of Microsoft 365 over a significant amount of time. The EDPS therefore considers that where the processing involves artificial intelligence or data analytics, the purposes of the processing must specify that in order for them to be considered specified and explicit. The Commission has failed to do that, and in particular in a contract or another binding legal act”.

As regards the instructions provided by the Commission to Microsoft, Microsoft Ireland argued that the Commission had “provided clear instructions to Microsoft with regard to the types of personal data and the purposes of the processing”.  It also stated that:

“It is market practice for comprehensive and dynamic data processing services such as cloud services, to be described in general contractual language – as describing it in overly granular detail would impose unreasonable and counterproductive burdens on the contractual parties – including because sensitive and ever-improving cybersecurity measures cannot be fully captured in any static set of contracts or public statements, for the very reason that it exists, to protect the parties from bad actors when the data processing details are highly dependent on the data fed into the M365 services by the customer and its users, which changes frequently.”

The EDPS rejected Microsoft Ireland’s submissions on these points. It decided that:

“the EDPS has not seen evidence that would demonstrate that instructions were suggested by Microsoft Ireland and accepted by the Commission that would ensure that the purposes of processing and types of personal data have been determined as required by the Regulation. Moreover any market practice that does not comply with the law cannot be deemed acceptable and compliant merely because it might be widespread.”

The practical challenges involved in any organisation seeking to ensure that its data processing agreements contain the level of detail the EDPS considers to be required are obvious.  The Commission has 2 months from the date of notification of the decision to appeal it and, if it does, there will be considerable interest in whether the EDPS’s interpretation is upheld. Pending any appeal, organisations should be mindful of the approach taken by the EDPS in this decision when considering the level of detail they go into in their controller-processor contractual arrangements.