The working group’s update could crank up pressure on Microsoft 365 customers in Germany — and elsewhere in the European Union where the same data protection framework applies and other regulators are also investigating cloud services’ GDPR compliance — to reassess usage of its software and/or seek out less compliance-challenged alternatives. The EU’s data protection supervisor (EDPS), which oversees the bloc’s own institutions’ GDPR compliance, has been looking into the European Commission’s use of Microsoft Office 365 since May last year — as well as probing EU bodies’ use of Amazon’s cloud services. The European Data Protection Board (EDPB) also kicked off a related coordinated enforcement action in February that it said would focus on public sectors use of cloud services — which it said would take about a year to report, with the aim for the action to harmonize regulatory interventions in this area. “Use of non-compliant ICT products and services by the public sector threatens the protection of personal data of all EU residents,” the EDPS wrote in an update on its probe in April (which also does not appear to have concluded and finally reported yet). “Public sector bodies at national and EU level have a duty to lead by example, including when it comes to outsourcing and transfers of personal data within and outside the EEA [European Economic Area].” Microsoft announced some changes to its cloud contact terms in Europe back in 2019, following an earlier warning by the EDPS raising serious concerns — and after a Dutch ministry obtained some contractual changes and technical safeguards and settings in amended contracts it agreed with Microsoft that year after it requested changes — but it remains to be seen how the data supervisor will assess GDPR compliance for use of its cloud services now. For one thing, it’s a more complicated situation for EU-US data transfers at present, in the wake of the July 2020 Schrems II CJEU ruling — and still with no replacement transatlantic data transfers agreement formally adopted by the bloc.
German working group weighs in
The German working group’s report is focused on assessing Microsoft 365 (née Microsoft Office 365)’s compliance with certain provisions of the pan-EU General Data Protection Regulation (GDPR) — after an earlier assessment by a local regulator, in January 2020, found that “no data protection-compliant use of Microsoft Office 365 is possible”. Among the ongoing issues raised by the group are concerns over a lack of clarity and precision in Microsoft’s contracts and processing for 365, and the legal base it claims to process data — including for what it describes as “legitimate business purposes”. The working group said a central theme of the talks was trying to determine in which cases Microsoft acts as a data controller, which carries a more expansive set of responsibilities under EU data protection law (e.g. accountability obligations), and in which scenarios it’s only a processor (as the 365 customer is the controller) — but their summary concludes: “This could not be conclusively clarified.” They also query the viability of Microsoft relying on a “legitimate interest” ground as a legal base for processing data for its own purposes where 365 customers are public sector organizations like schools, with the group raising doubts that it can be applied in that context. Their report also questions the sufficiency of additional technical and organizational measures added by Microsoft in response to concerns about the safety of exported data — arguing that legal uncertainties remain over the claimed security measures which it points out only cover a subset of personal data subject to the contract. In a statement accompanying the report, the Datenschutzkonferenz (DSK) — a steering body for Germany’s decentralized application of data protection law — said it’s not possible for users of Microsoft’s cloud-based software to demonstrate compliance in spite of a series of changes it made to its 365 contracts in a data protection addendum from September 2022 which are assessed as being only “minor improvements” compared to the problems identified. Or, put another way, the group’s conclusion is there’s currently no way to use Microsoft 365 in compliance with the GDPR. Summarizing their assessment of Microsoft’s response to earlier compliance concerns, the group said it was not able to achieve “any significant improvements” in contract wording, as regards types and purposes of processing — noting that comprehensive descriptions and details are still lacking. While it has taken the view that contractual amendments made by Microsoft as a result of this regulatory engagement — with regards to its own processing for so-called “business activities” (previously described in its contracts as “legitimate business purposes”) — are also superficial wording tweaks that do not bring any “substantial improvements”. On that, the report refers to a statement made by Microsoft that it has not actually made any adjustments to its processing activities. The group’s assessment remains, therefore, that Microsoft continues to grant itself insufficiently limited rights for certain types of processing. Microsoft’s large-scale collection of telemetry and diagnostic data — under what legal basis — is another concern for the regulators, with the group suggesting the data is processed by Microsoft “fundamentally for self-interested purposes” — which they point out is a particular challenge for public sector users of 365 to be able to justify under the GDPR. Data transfers out of the EU are another area of focus, given ongoing legal uncertainties related to EU data exports to third countries like the US (and the group points out it’s not currently possible to use Microsoft 365 without data being processed in the US). As are concerns about legal issues arising as a result of US laws like the Cloud Act and FISA 702 — which could compel Microsoft to hand over customer data, which runs counter to EU privacy laws that require data to be adequate protected outside the bloc as well as within. The working group points out that many 365 services require Microsoft to access customer data in the clear — meaning the obvious fix of applying strong encryption is not regularly available in this cloud service context. Microsoft’s policies towards retention and deletion of data also do not always meet the requirements set out in the GDPR, per the group’s report. They are also unimpressed by the level of notification and detail Microsoft provides to customers about sub-processors/sub-contractors — which is says falls below the specificity afforded in the updated Standard Contractual Clauses template provided by the European Commission last year. Contacted for a response to the working group’s criticisms, Microsoft sent us this statement:
“Microsoft 365 products meet the highest industry standards for the protection of privacy and data security. We respectfully disagree with the concerns raised by the Datenschutzkonferenz and have already implemented many suggested changes to our data protection terms. We remain committed to working with the DSK to address any remaining concerns.”
It also pointed to a blog post it published in German (the same statement is here in English translation) in which it expands on its claim of no EU privacy law concerns attached to Microsoft 365 products — arguing that the DSK’s concerns “do not appropriately reflect” changes it claims to have already undertaken and making a further assertion that the working group has misunderstood how its services operate and measures (and “significant changes”) it says it’s already implemented. Microsoft’s statement referenced above links to a second (7-page) statement, which it has only made available in German — which it says offers a “more detailed” response to some of the issues raised. In this expanded statement (which we’ve translated using machine translation), Microsoft offers a point by point rebuttal to the DSK’s concerns and also claims the EU Data Boundary will “significantly reduce” data flows outside Europe and boost transparency by providing “detailed documentation on remaining, necessary data flows”. The document also goes on the attack, accusing “some” German regulators of interpreting GDPR in what it couches as an “excessively risk-averse manner” — which Microsoft claims “overburdens and paralizes those responsible” as a result of “excessive expectations of accountability”. It will be up to the EU’s regulators to determine whether anything Microsoft argues can really fix the raft of legal issues that keep surfacing over its cloud services’ compliance with GDPR — or whether it’s just more bluster from a data-mining tech giant that’s being called on excessive and unlawful access to customer data, and, therefore, whether more substantial reforms will be required before Microsoft will be the ‘safe’ choice for IT procurers in the EU in future. Following the German working group’s statement, data protection experts in Europe have been calling for pan-EU enforcement over the problems identified by regulators — and questioning why Microsoft cannot apply meaningful limits on customer data processing, given it previously agreed to drop processing for business activities in government and public sector contracts agreed in the Netherlands, for example. 270527a1 Microsoft’s lead data protection authority in the EU is Ireland’s Data Protection Commission — which would be responsible for leading any pan-EU enforcement of the GDPR against the company. However the DPC told TechCrunch it does not currently have any open inquiries into Microsoft — so it appears more likely that regional enforcement of cloud compliance concerns will be pushed through via decentralized (but coordinated) attention to public sector contracts Microsoft has inked around the bloc by regulators in different Member States. Which sounds like, well, the kind of messy, multi-pronged, resource-draining enforcement nightmare for itself and customers of Microsoft 365 the company should really be doing everything it can to avoid… Microsoft 365 faces darkening GDPR compliance clouds after German report by Natasha Lomas originally published on TechCrunch