Microsoft must regularly adjust the contracts for Microsoft 365 and Azure. This is due to the reasons of the new tools and adjustments to laws and judgements.
Changes to the OSTs from 01.08.2020
71 changes were made from the version dated August 1, 2020 to September 1, 2020. These changes include translations, paragraphs and formatting. However, there were also changes in content.
The hoped-for additional tools under DPA and OSTs do not exist. Here Microsoft still has some homework to do, also with regard to the EU standard contract clauses. There is also a lack of information on this, as the DPAs have not received a supplement on whether MS can actually comply with them in the USA.
in detail (excerpt of the most important changes)
” Online services
Microsoft Azure Services: Provisions have been added that restrict the use of Azure facial recognition services by or for U.S. law enforcement agencies.
Azure SQL Edge: Provisions for the Azure SQL Edge offering added”.
Here certain additions were made to the online services. There was no major change in core online services or DPA, according to the small changelog below the introduction. We will now check this more closely.
There were no changes in the definitions.
” Restriction on the use of Azure facial recognition services by or for U.S. law enforcement
Customer may not use the Azure Face Recognition Services if Customer is a law enforcement agency in the United States or permits the use of such services by or for a law enforcement agency in the United States. Violation of any of the restrictions in this section may result in immediate suspension of Customer’s use of the Service.
For the purposes of this section, “Azure Face Recognition Services” means facial recognition features or functionality included in Azure Services, such as Face; or the facial recognition functionality in Video Indexer.
This paragraph has been added to supplement the regulation on the use of Azure Face Recognition Services by and for the U.S. Police Department. There is no restriction for the secret services and no restriction for DE or EU police authorities.
The customer is not allowed to develop own software which is intended to serve US police authorities and which contains face recognition or face recognition functionality in videos. In this context it is interesting to mention that this feature was removed from Microsoft Stream, allegedly because nobody uses it.
“Azure SQL Edge
“IoT Device” means a computer device that (i) is designed or configured primarily for use with an industry or task-specific software program that provides the primary functionality of the computer device (“IoT Program”), (ii) uses a maximum of 16 physical cores, and (iii) is not designed to be marketed or primarily used as a multifunction server or as a commercially viable replacement for a multifunction server. Any IoT Device that is under the management or control of an entity other than the Customer or any of its affiliates is subject to the Outsourcing Software Management Clause of the Product Terms at http://go.microsoft.com/?linkid=9839207.
Use of Azure SQL Edge
Customer may install and use any number of copies of the Azure SQL Edge software on an IoT device intended for Customer’s use and to which a license has been assigned. Notwithstanding any provisions to the contrary in the “General Terms and Conditions”, the Customer may at any time transfer a license to other IoT devices intended for use. If the Customer installs other features or functionalities than the Azure SQL Edge software (whether derived from Microsoft or third party software) on the IoT Device, these other features or functionalities may only be used to support the IoT Program.
The terms of the Data Protection Amendment (DPA) do not apply to Azure SQL Edge installed on the Customer’s IoT Device, except to the extent that personal information is collected to enable Azure management services and to measure usage for billing purposes, as the operating environment of such IoT Devices is not under the control of Microsoft.”.
A section on Azure SQL EDGE has been added, making it clear that the DPA does not apply to this, except for the personal data used by Azure Administration Services to enable it to perform its services and to fulfill the legitimate business purposes of MS (here billing).
IMPORTANT: exclusion from the DPA annex
“The provisions of the DPA do not apply to: Bing Maps Mobile Asset Management Platform, Bing Maps transactions and users, Bing Maps search services, Cognitive Services in containers installed on customer’s dedicated hardware, GitHub offerings, LinkedIn Sales Navigator, Azure SQL Edge, Azure Stack Hub, Microsoft Graph data link for ISVs, Microsoft Genomics and Visual Studio App Center Test. Each of these online services is subject to the privacy and security policies set forth in their respective specific online services policies.
In this section, according to my information and the comparison document, only translation errors were corrected or product names were translated. No services or features have been added or removed.
IMPORTANT: Appendix 1 Core Services
Let’s take a closer look at these changes, especially the changes in Microsoft Azure Core Services.
This function has been moved from an independent service to the services of Azure AD and thus continues to be covered by the DPA Annex.
Azure Cosmos DB
The word “formerly” became “formerly” Document DB) this is a linguistic adaptation. The Duden says here vormals als once and earlier, as well as ehemals. Also in the English version there is no change here, so this is a German linguistic adaptation.
Site Restore becomes Website Restore
Adaptation of the translation
Distance database to stretch database
Adaptation of the translation
virtual computers to virtual computers
Adaptation of the translation
Microsoft Threat Protection
Formatting. no change in comparison visible
IMPORTANT: Core services
“In addition to the security procedures and policies for online services in the DPA, each Core Online Service also complies with the control standards and frameworks set forth in the table below and implements and maintains the security measures described in Appendix A of the DPA to protect customer data”.
“With respect to core online services, Microsoft stores customer data at rest within certain major geographic areas (each a geographic zone) as follows, unless otherwise specified in the specific terms and conditions for online services:”.
In this section, content and language customization has been made. I am pleased that my criticism has been responded to here.
For example, Microsoft now makes it clear that with regard to core online services, Microsoft stores customer data in the idle state (InRest) within a main geographical area, defined as a geographical zone, unless other regulations apply for special products such as Sway. This is a new fixed standard, which one has already thought of before. The regions in Azure are called geographical zone. (e.g. Germany is a region and Europe is a region.) This is important, e.g. in the compliance area with import and export regulations, so that data is and may only be stored in this one region.