German data protection conference 2022 says Microsoft 365 still not GDPR compliant

[German]The use of Microsoft 365 (including Office 365) is still not compliant with European general data protection rules (GDPR). Anyone using the product is breaching European GDPR law – at least as far as the standard configuration specified by Microsoft is concerned. Despite subsequent improvements, Microsoft has not yet succeeded in ensuring the GDPR compliance of Microsoft 365. That is the conclusion of the Data Protection Conference 2022 in Germany.

The Data Protection Conference (Datenschutzkonferenz, DSK) is the conference of the independent data protection authorities of the federal and state governments in Germany The body deals with current data protection issues in Germany and comments on them. Its resolutions and short papers are available on this website.

Microsoft 365 and data protection

For a very long time, there has been a discussion about the extent to which Microsoft products Windows 10, Windows 11 and Microsoft Office (365) are compatible with EU data protection legislation and the General Data Protection Regulation (GDPR). The use of these products in schools and educational institutions in particular has been prohibited by the data protection commissioners of the federal states. And the DSK has also made statements about Windows 10 in connection with a DSGVO-compliant approach. The conclusion so far is that the products are not compliant with the GDPR when delivered (out-of-the-box) and must be extensively adapted for use in companies. In the meantime, Microsoft has bundled its Windows 10/11 and Microsoft Office 365 products with other applications in the cloud-affine Microsoft 365 product.

The situation in 2022

As of November 25, 2022, the DSK has also published the position of the relevant DSK working group on Microsoft 365 in the document DFestlegung zur Arbeitsgruppe DSK "Microsoft-Onlinedienste" (PDF). As of Nov. 24, 2022, the DSK takes note of the report of the DSK Working Group "Microsoft Online Services" and its summary, the document states. With reference to the summary of the report, the DSK states:

That the proof of data controllers to operate Microsoft 365 in compliance with data protection law cannot be provided on the basis of the "Data Protection Addendum of September 15, 2022" provided by Microsoft. In particular, as long as the necessary transparency about the processing of personal data from commissioned processing for Microsoft's own purposes is not established and its lawfulness is not proven, this proof cannot be provided.

A clear statement: The products contained in Microsoft 365 cannot be used in schools, educational institutions and companies in a way that complies with data protection and thus with the law. This is also pointed out by the Federal Data Protection Commissioner Ulrich Kelber in a statement. For a more in-depth assessment of the results of the talks, the DSK provides the summary of the working group results (PDF).

The development since Sept. 2020

As early as 2020, the DSK had taken note of an assessment by the Administration Working Group of the Online Service Terms (OST) underlying the use of the cloud service Microsoft Office 365 (now: Microsoft 365) and the Data Protection Provisions for Microsoft Online Services (Data Processing Addendum / DPA) – in each case as of January 2020 – with regard to compliance with the requirements of Article 28(3) of the General Data Protection Regulation (GDPR). The assessment of AK Verwaltung at that time was "that on the basis of these documents no data protection-compliant use of Microsoft Office 365 is possible".

In the meantime, there were probably talks between the German data protection officers  of some states and Microsoft with regard to the subsequent improvement of the data protection provisions with regard to the individual processing activities.

The status as of Sept. 2022

In the 104th Data Protection Conference, the DPC, with regard to the current data protection assessment, comes to the conclusion already drawn above that the products cannot be used in compliance with the GDPR. Quote from the summary:

The central and recurring question in the series of discussions was in which cases Microsoft is acting as a processor and in which cases as a controller. This could not be conclusively clarified. Controllers must be in a position to meet their accountability obligations under Article 5 (2) of the GDPR at all times.

When using Microsoft 365, difficulties can still be expected in this regard on the basis of the "data protection supplement", as Microsoft does not fully disclose which processing operations take place in detail.

In addition, Microsoft does not fully disclose which processing operations take place on behalf of the customer or which take place for its own purposes. The contract documents are not precise in this respect and do not allow for final evaluation of processing, which may even be extensive, including for the customer's own purposes.

So even after Microsoft's corrections and amendemends, the German data protection authorities had no choice but to conclude that Microsoft 365 could not be used in compliance with data protection laws. The summarized justification is that these documents do not provide Microsoft with the necessary transparency to recognize which data can be used by the US company "for its own purposes". In some places, it is still not possible to assess what information and diagnostic values are still being collected and transferred to Microsoft, it says. This also makes it impossible to check whether all steps are lawful in the sense of the GDPR, write the data protection experts.

Data protection authorities must look at individual cases

According to German site Golem Dr. Ulrich Kelber announced that the data protection authorities "will have to look at individual cases to see whether it is nevertheless possible to achieve data protection compliance." This revolves around the handling of biometrics, diagnostics and telemetry data. According to Kelber, the use may be recommended if microvirtualization is carried out or a proxy server is added in between to prevent this data from beeing send to Microsoft.

According to Golem, Kelber doubts that Microsoft 365 can be used "just like that on a computer without further protective measures." This means that public authorities, educational institutions and companies are currently violating the GDPR when using Microsoft 365. This would also mean that private individuals should not use Microsoft Office 365 just like that – even if private individuals are not subject to the GDPR.

Progress yes, breakthrough no

The German Data Protection Commissioner, Dr. Ulrich Kelber, is quoted here by heise as saying that Microsoft has made "progress on individual points" with the new version of its September 2022 order processing agreement. In the Microsoft Products and Services Data Protection Addendum (DPA), the standard contractual clauses of the EU Commission (with regard to the decision of the European Court of Justice (ECJ) in the Schrems II ruling) had indeed been adopted. But at the end of the day, one is not really any further ahead, because the crux of the matter of proving that the deployment is data protection compliant is simply impossible to conduct.

You can put it in a nutshell: For two years, Microsoft has been faced with the issue of adapting its Microsoft 365 and its data protection agreements so that they are compliant with the European General Data Protection Regulation (GDPR, German DSGVO). For two years, Microsoft has failed to do so. Perhaps Redmond is not interested – the market is not yet closed for these products.

I think the German IT landscape in public authorities and companies is visibly running into a problem (the use of Office 365 in schools is to be phased out). France is taking a more rigorous approach. The days I had reported in the post Free Microsoft 365 and Google Workspace banned from France's schools, that France bans the use in schools and authorities (because of the cloud connection).

Similar articles:
Safe Harbor: EuGH erklärt Abkommen für ungültig
European Court cancels EU-US "Privacy Shield"
Preliminary agreement between EU and US on the Trans-Atlantic Data Privacy Framework
US President Biden signs Executive Order for "Privacy Shield 2.0" data protection agreement
Data protection commissioner of Baden-Württemberg (Germany) considers US President Biden's Executive Order for a data protection agreement "Privacy Shield 2.0" with European Union as insufficient

This entry was posted in Cloud, Office, Software, Windows and tagged , , . Bookmark the permalink.

Leave a Reply

Your email address will not be published. Required fields are marked *