In a recent joint publication, the Conference of German Data Protection Authorities (DSK) again expresses concerns regarding the compliance of Microsoft 365 with data protection law. Please find the document in German language here. Corporations doing business in Germany are well advised to proceed with caution. This article provides guidance on what to consider now.
What happened?
The DSK has once again examined the data processing agreement for the use of Microsoft 365 (Online Service Terms) and published the result. In September 2020, the DSK had already pointed out the data protection deficits of Microsoft 365 in an official statement. Microsoft responded to the DSK’s critique by adjusting the contractual and technical documentation and publishing, inter alia, a “Data Protection Addendum for Microsoft Products and Services”. The DSK has now based its updated review on the documentation including these adjustments made by Microsoft.
Result of the renewed statement
The DSK concludes that the Online Service Terms and other available documentation on Microsoft 365 would be insufficient to demonstrate the controllers’ compliance with data protection law when using Microsoft 365.
According to the DSK, it is unclear in which cases Microsoft acts as a controller and in which cases Microsoft acts as a processor in the terminology of the GDPR. To the extent Microsoft is data controller, questions regarding the purposes of the processing are according to the DSK not adequately addressed. It would also be unclear which personal data Microsoft processes and what the respective legal basis for the processing are. Further, where Microsoft is a processor, the data processing agreement would not meet the requirements of Art. 28 (3) GDPR. This would in particular be the case for the technical-organizational measures, Microsoft’s obligation to follow instructions, Microsoft’s obligation to return and delete data, the information on sub-processors and the obligation to disclose data access by U.S. authorities. Also DSK critically considers the transfer of personal data to third countries, especially the U.S.
Microsoft’s Statement
Microsoft published a response-statement and makes the point to take the DSK concerns seriously, but Microsoft also considers many of the conclusions of the DSK to not be substantial. According to Microsoft, the interpretation of some data protection authorities in Germany is excessively risk-averse and thus paralyzes not only responsible parties, but also progress in digitization as a whole. Microsoft’s detailed statement can be found here in German language.
What you should consider now
According to the DSK using Microsoft 365 is in breach with data protection law. This is certainly an unpleasant starting point for implementing or operating Microsoft 365. In principle, controllers must be prepared for German data protection authorities’ administrative actions against using Microsoft 365 and ultimately respective fines. However, to our knowledge, there have not yet been particular measures taken and there is no particular indication for that to happen soon. It is therefore advisable to remain calm for the time being and stay tuned for the moment.
After all, the process of improving Microsoft 365 in terms of data protection does not appear to be complete now. As explained, Microsoft has made substantial adjustments following the DSK’s statement in September 2020. In Microsoft’s new statement, Microsoft makes additional promises to examine the DSK requirements and to further improve its service.
In addition, Microsoft intends to largely restrict data processing for European cloud customers to the EU by introducing the so-called “EU Data Boundary”, expected by the end of 2022. Also, the EU Commission’s adequacy decision for data transfers to the USA based on the new “EU-U.S. Data Privacy Framework” is expected in early 2023 and may become a gamechanger. The DSK has expressly not taken the new framework into account in its opinion at this point.
If you are already using Microsoft 365, there are good reasons to remain calm and wait for these developments to happen. In order to document compliance efforts and taking the DSK Opinion seriously, it’s a possible and prudent move to address the DSK concerns to Microsoft and claim for according adjustments. For projects to introduce Microsoft 365 it is even more crucial to stay up to date in regard to any developments and to adjust the project accordingly in case of need.