29 August 2019
Ministry of Justice and Security / Strategic Vendor Management Unit in cooperation with the European Data Protection Supervisor
European institutions convene to keep control over data processing in the cloud
Over one hundred representatives of public institutions all over Europe gathered in The Hague on 29 August 2019 for the first EU Software and Cloud Suppliers Customer Council meeting. They discussed plans for keeping control over the digital infrastructures provided by hyperscale cloud suppliers like Amazon, Google and Microsoft. The council’s aim is to collectively create standard terms and conditions that hyperscale providers must accept in collaborative procurements of cloud and software services.
Representatives of a wide range of national and international scientific and governmental institutions from across the EU discussed ways to keep control over data processing by cloud and software providers. The conference was hosted by the Strategic Vendor Management Unit of the Dutch Ministry of Justice and Security in collaboration with the European Data Protection Supervisor (EDPS).
Earlier this year, the Strategic Vendor Management Unit successfully negotiated new contractual clauses with Microsoft to ensure that using Windows and Office would no longer violate privacy legislation, after an investigation commissioned by the ministry had found that Microsoft Office 365 was in violation of the General Data Protection Regulation (GDPR).
The Secretary-General of the Ministry of Justice and Security Siebe Riedstra opened the conference and explained that renegotiating contracts is the first step in reshaping the relationship with the suppliers of hyperscale cloud and software services like Amazon, Google and Microsoft:
‘Keeping up with changes in suppliers’ terms and conditions as well as with the continuous changes in their products costs millions of euros a year. This can only be changed by collectively imposing our own terms and conditions on the supplier.’
The 2018 Data Protection Impact Assessment (DPIA) on Office 365, which built on a comparable 2017 investigation into Microsoft Windows 10 by the Dutch Data Protection Authority, found that Microsoft Office 365 ProPlus for enterprise users, even when installed locally, transmits numerous types of personal data to Microsoft servers, without the system administrators having any way to prevent or review these transmissions. At that time Microsoft reserved the right to change the data it collected for diagnostic purposes and other telemetry, and also to use that data for its own purposes. The Ministry of Justice and Security no longer found this acceptable.
Based on the outcomes of the DPIA, the ministry negotiated significant changes, both in the way Office 365 ProPlus and Windows process data and in the contract with Microsoft. The Dutch government’s Strategic Vendor Manager for Microsoft, Paul van den Berg – who called the conference said:
‘We turned it all around on Microsoft, saying: if you receive data from us, it can only be used for one of three purposes: providing the service we bought and use, keeping it secure, and keeping it up to date. All other purposes are forbidden. This we can audit – but how that will play out in practice remains to be seen.’
In order to comply with GDPR requirements, other enterprise users of Microsoft Office 365 ProPlus have to adopt the same technical measures that have since been made available by Microsoft to all enterprise users. They also need to negotiate changes to their own contracts with Microsoft. However, this is proving hard to accomplish for many organisations which lack the leverage of the collective Dutch government. For most customers, the necessary contractual amendments will only be achievable if they generate collective bargaining power.
Some European institutions have already found cloud providers unwilling to change their terms and conditions, even when confronted with the results of the Dutch investigations. Acting European Data Protection Supervisor, Wojciech Wiewiórowski, however, pointed out that the data controller bears primary responsibility for compliance. While Microsoft claims to be a processor for much of the processing it does, it is the controller’s responsibility to engage only processors that meet the requirements of the applicable data protection law. According to Mr Wiewiórowski it is therefore up to the institutions to shape the way they keep control. He added:
‘The solution implemented by the Dutch government shows what can be done by a well-equipped, skilful and knowledgeable institution – and on a scale that cannot be done by smaller, individual organisations. I am grateful to the Dutch for making the results of their study and their negotiations public, so others can benefit.’
Two factors were mentioned repeatedly by speakers as essential to maintaining control over data processing, especially in the cloud. The first factor is that sufficient leverage must be generated to successfully make fundamental changes to the way terms and conditions are negotiated. If enough institutions collaborate on procurement and contract management, change will be possible, Mr Wiewiórowski said, adding:
‘If I didn’t believe we could find the people and the institutions to make a real change, I wouldn’t be here.’
A show of hands revealed that the majority of participants are eager to join in the effort.
The second factor that determines success is the development of standardised frameworks for drawing up contracts and controlling their implementation, based on the tools provided for by the GDPR. If the institutions are to keep control over the way software processes personal data, they need a common understanding of how to use DPIAs and audit powers – and that means institutions needs to share information. The Dutch DPIA looked beyond the situation as described in the official documentation at the actual transmissions that could be detected.
A holistic approach to controlling data processing requires looking at organisational and contractual aspects, as well as technical specifications. This was underlined by the presentations by Maximilian Winkler of the German Federal Office for Information Security, who investigated the inner workings of the Windows 10 telemetry infrastructure, and Andres Steijaert of SURF, a cooperative association for IT services at Dutch educational institutions, who touched on some of the challenges of leveraging collective bargaining power with hyperscale providers.
Building a comprehensive strategy is essential to achieving success at the table. Attention to detail and being in charge of the negotiations and the drafting were key factors in the negotiations with Microsoft, said Herald Jongen, one of the negotiators present:
‘We had to make sure that Microsoft understood that we both had an interest in the outcome of the negotiations. They are not the enemy. We only wanted to exercise our responsibilities to keep control over the data they process for us.’
The drive in the room to change the way institutions depend on suppliers was strong. Where for years it had been impossible to imagine a future in which suppliers didn’t lay down the conditions under which they supplied their services, after this meeting most participants seem to agree that collective action is inevitable.
The alternative seems almost too dystopian to contemplate. Ultimately the conference will be a test of the GDPR’s strength and even more may depend on it, as Robert Riemann of the EDPS stated:
‘In order to maintain sovereignty, public authorities must protect critical supply chains and have exit strategies when using software as a service.’
This is even more clear when considering the rise of artificial intelligence, algorithms and the internet of things. One speaker points out that if those gain wide adoption, that would compound the problem with compliancy with GDPR and other standards and make it harder to change contracts.
The participants agreed that the desired changes are unavoidable and must be made soon. Regaining control and compliance with the GDPR is only possible if contracts are improved. There is simply no alternative. It was suggested that the EDPS could move things forward by issuing guidance. This idea was received with enthusiasm by many participants. The conference will reconvene in the spring of 2020 and will continue under the name The Hague Forum for Cloud Contracting.
The hyperscale suppliers will have no choice but to accept that the GDPR changes the way control is exercised in the cloud. And that is clearly a welcome prospect for those attending the conference.
All EU member states, EU institutions, European governmental partnerships, bodies and alliances that purchase cloud services are cordially invited to participate in the next The Hague Forum for Cloud Contracting.
For more information please contact:
Ministry of Justice and Security
Strategic Vendor Management Unit