Using MS-Teams, Skype and other Office 365 services violates data protection law and may result in million Euro fines. That’s the conclusion of two papers recently issued by the Berlin Commissioner for Data Protection and Freedom of Information. There is urgent need for action in many companies now. Read how to reduce your risks.
What has happened?
With the outbreak of the Corona crisis, many companies sent their employees to the home office, meetings were moved from the off- to the online world and the demand for online conferencing tools dramatically increased. So apparently have the enquiries about data protection requirements for using online conferencing tools at data protection authorities including the Berlin Commissioner for Data Protection and Freedom of Information (BlnBDI). In order to facilitate legal assessment of such tools, the BlnBDI has published two papers which can be downloaded in German here and here. This puts a heavy burden on any company aiming to use common online conferencing tools or Office 365 products in line with data protection law.
In practice, common online conferencing tools including MS-Teams, Skype, Zoom, Cisco WebEx and Google Meet cannot be used any longer in a data protection-compliant manner. The BlnBDI main arguments are shortcomings in the contractual arrangement, in particular, the data processing terms. Consequences are data protection violations for companies using services such as MS-Teams and Skype at least according to the BlnBDI. Fines in relevant amounts could be the consequence (see our blog article Fines, Penalties and Damages for Data Protection Violations). A small yet relevant detail is that the massively criticized Microsoft Online Service Terms also apply to any other Office 365 products under Office 365 cloud licenses. Deploying such Microsoft products including MS Word, MS Outlook or MS Excel, is therefore also subject to data protection violations and severe fines.
The BlnBDI is not the only one criticising the Office 365 products and its contractual arrangements. One day earlier than the BlnBDI publishing her second paper, the European Data Protection Commissioner published his paper on the Microsoft products and also expressed massive critique. You can download the paper here. It is more than likely that further German and European data protection supervisory authorities will follow this lead. The risk of measures and fines against companies using Office 365 products will thus increase.
What can be done?
As data controllers, companies using Office 365 products must ensure compliance with data protection law. According to the BlnBDI, the Office 365 services may only be used in case contractual arrangements with Microsoft are changed in a data protection compliant manner or use must be discontinued. For many companies, in practice, this would result in ceasing administrative activities. Without Teams, Word, Outlook and Excel few or no companies would be able to function any longer. There appear to be few options left:
- Continue to use Office 365 products and accept the risk of severe and possibly existence threatening fines. => this is probably not the best solution
- No longer use Office 365 products. => In light of little or no alternatives, for example in the area of online conferencing tools (according to the BlnBDI, the common products cannot be used in line with data protection law), this would be a step backwards into a pre-digital age.
- Start negotiations with Microsoft on the amendment of the Microsoft Online Service Terms. => There are limited chances that Microsoft will seriously enter into negotiations, however, it is your only good option if you want to continue using Office 365 products and can improve your legal risk exposure.
Reasons to Start Negotiations with Microsoft.
In case you are dependent on Office 365 products because migration is technically too complex, there is no adequate alternatives or you simply want to continue using Office 365 products, you should negotiate with Microsoft. No matter whether Microsoft is prepared or willing to negotiate with you.
There are good reasons to argue in favour of having a claim against Microsoft for adjustment of the Microsoft Online Service Terms. In particular, there are contractual accessory obligations to make clarifying declarations in the event of ambiguities in the agreement where this was not the parties’ intent. This is the case for the Microsoft Online Service Terms in light of the BlnBDI’s paper. There is critique that terms are unclear and contradictory, which would result in data protection violations. Data controllers can hence no longer be sure whether the use of Office 365 products is in line with data protection laws due to unclear terms.
This was clearly not intended by the parties when agreeing on the Microsoft Online Service Terms. As a result, Microsoft and affected companies concerned have a common desire to enter into contractual arrangements that comply with data protection law. To the extent necessary for this purpose, Microsoft must therefore provide a clarifying statement. Otherwise Microsoft would violate contractual accessory obligations.
Another argument coming to the same conclusion is the obligation to adjust contractual basis of an agreement where circumstances change that are the basis for the parties’ agreement. This also applies to the Microsoft Online Service Terms. The parties have clearly not intended to violate data protection law and to create the severe risk of supervisory authorities’ actions against companies using Office 365 products. With the assessment of the BlnBDI there is now a relevant and commonly unwanted likelihood of such actions. Therefore Microsoft must agree to amend the Microsoft Online Service Terms.
It is far from certain that Microsoft will in fact negotiate with your company. The large number of companies using Office 365 in Germany alone makes it unlikely that individual negotiations can be held with each company. Nevertheless, there are three reasons to give it a try.
- In case enough companies turn to Microsoft, the pressure on Microsoft could result in changes the Microsoft Online Service Terms solving or partly solving the matter.
- In case there were proceedings resulting in fines against companies using Office 365, the amount would depend on the individual case and at large depend on measures taken to prevent data protection violations and to reduce their impact. Any attempt to reach agreements with Microsoft that comply with data protection law are more than likely to be taken into account in favour of the company concerned. At least, that’s our impression from discussions with various contacts at the data protection authorities.
- In case Microsoft violates contractual accessory obligations and does not adjust the Microsoft Online Service Terms, there is a fair chance that Microsoft must compensate any loss suffered from that breach.
It is therefore worth negotiating with Microsoft.
How to negotiate with Microsoft
To enter into negotiations with Microsoft, you must formulate and submit your desire to change or clarify the Microsoft Online Service Terms. Such request must be brought to the contracting entity. For Microsoft, this is not always easy to determine. Mostly, the Irish Microsoft company concludes license agreements with European customers. The address is:
Microsoft Ireland Operations Limited
One Microsoft Place, South County Business Park,
Leopardstown, Dublin
In some contracts the US entity is also mentioned as contracting entity. The address is:
Microsoft Corporation
One Microsoft Way
Redmond, WA 98052-6399
USA
For business customers in Germany, Microsoft provides contact of the German subsidiary on its website. One may therefore assume that this company is authorized to receive legal declarations. The address is
Microsoft Germany GmbH
Walter-Gropius-Straße 5
80807 Munich
fax: 01805 22 95 54
There may be other Microsoft entities that may legally be fit to receive your request.
In order to prove your request was delivered and thus the opening of negotiations, it is advisable to send it by fax or registered mail. In the request, you should refer to the critique in the BlnBDI’s paper and demand as specific as possible to remove or clarify illegal wording in the Microsoft Online Service Terms. This is yet only the first step. You should then follow up whether Microsoft responds to your request, provides general explanations or adapts the Microsoft Online Service Terms. If this does not happen or changes are not sufficient, you will need to consider further escalation steps possibly including legal action to enforce your claims.
Conclusion
The BlnBDI’s papers poses major legal challenges for companies that use common online conferencing tools and Office 365 products. There are few or no technical alternatives; neither are there simple legal solutions. The only way out of this misery are negotiations Microsoft (and other providers).