European Data Protection Authorities Set Sites on Microsoft 365
Privacy Plus+
Privacy, Technology and Perspective
European Data Protection Authorities Set Sites on Microsoft 365. This week, let’s look at recent developments in Microsoft’s continuing struggles to satisfy European data regulators about its use of Microsoft 365 in Europe – and what those struggles mean for Europeans using Microsoft 365, or any other workforce productivity suites with similar functionality, like Google Workspace.
2 Years of “One Step Forward, Two Steps Backwards:” For background on the tensions related to U.S. and E.U. approaches to privacy, Schrems I and Schrems II, you can read our previous post, entitled “The Standard Contractual Clauses Find Safe Harbor,” by clicking on the following link:
Following the Schrems II decision, Germany formed a working group of federal and state regulators called the German Datenschutzkonferenz (Data Protection Conference) (the “DSK”). In part, the DSK tasked itself with studying Microsoft 365’s terms of service in Germany and the activities of German data controllers who use it. Microsoft participated. The DSK described its purpose as a limited review focused on Microsoft’s “contractual deficiencies” and descriptions rather than on the actual data flows, processing acts, or employee monitoring. Over the years Microsoft has made various changes to its terms of service, including its Privacy Addendum of September 2022 (note that the Microsoft Products and Services Data Protection Addendum (DPA) has since been updated). But as we read the history, it seems the DSK viewed Microsoft’s changes as making only incremental progress, but not enough.
“Points of Criticism:” In its report issued in late November 2022, the DSK complains that it is still unclear what personal data is being processed within the scope of what Microsoft called “legitimate business purposes” (or “business activities”); that “legal uncertainties remain” regarding Microsoft’s technical and organizational measures for security; that Microsoft’s descriptions of controllers’ rights in the event of changes in sub-processors is “much less detailed” than the EU Commission’s Standard Contractual Clauses require; and several other issues.
However, the DSK’s principal complaint seems to be that even looking only at the contractual level, it simply isn’t possible for Microsoft 365 to comply with the GDPR. According to the DSK, Microsoft 365 can’t be used without transferring personal data to the United States, even with storage in Europe. Further, most Microsoft 365 services require Microsoft to access the unencrypted, non-pseudonymized data, and that encryption isn’t regularly possible, for example if the data needs to be displayed in a browser. Finally, the authorities report that they “have not found additional protective measures that would make data export legal” and that the system’s requirements “cannot compensate for fundamental inadequacies of US law measured against the standard of EU law.”
You can read the DSK announcement – in German - by clicking below. (Our quotes are drawn from Google Translate.)
https://datenschutzkonferenz-online.de/media/dskb/2022_24_11_festlegung_MS365_zusammenfassung.pdf
Meanwhile, what about School Children? The DSK also notes that while parents or guardians can consent to processing of their children’s data between the ages of 13 and 16, no one can consent to it below the age of 13. So Germany is joining France (the two most populous countries in Europe) in banning the use of Microsoft 365 in public schools teaching that age.
Will the Biden Executive Order “Enhancing Safeguards for US Signals Intelligence Activities” be sufficient? On October 7, 2022, the White House announced a new Executive Order to address the Schrems II problem of third-country data transfers. The DSK noted this Order in its report but did not address it because proposed Justice Department regulations were still pending. Nevertheless, you may read the proposed Order by clicking on the following link:
Our Thoughts: Microsoft 365 and Google Workspace are by far the two most popular productivity suites amongst both enterprise and small and medium-sized businesses. Where there aren’t many viable alternatives, organizations will be left to grapple with the issues identified by the DSK. The Register suggests that this could drive business to Microsoft’s competitors in the space, such as Google. One commentator even asks, would bans on Microsoft’s and Google’s products in that space represent an opportunity for, say, Linux’s Open Office? A link to that article in The Register follows:
https://www.theregister.com/2022/11/30/office_365_faces_more_gdpr/
We doubt very much that we’ll see a resurgence of Linux or a ban on Microsoft 365. However, we do expect that alert organizations will assess how best to mitigate the risks associated with using Microsoft 365 to process personal data, especially through the implementation of additional administrative data protection measures.
---
Hosch & Morris, PLLC is a boutique law firm dedicated to data privacy and protection, cybersecurity, the Internet and technology. Open the Future℠.