At the start of the year, Microsoft published a new version of its Products and Services Data Protection Addendum (DPA), signalling the official launch of the EU Data Boundary as the European solution for the Microsoft Cloud. The German data protection authorities have decided to re-evaluate Microsoft 365 in light of these changes. Although the outcome of this process is still unclear and controllers are not required to take any specific actions at this time, the resumption of the review procedure will have an impact on data protection for Microsoft 365.
Background: the DPC’s criticism
The Data Protection Conference (DPC), a body composed of independent federal and state data protection authorities in Germany, issued a statement concerning Microsoft 365 on 25 November 2022. In this statement, the authorities concluded that “controllers are unable to demonstrate that Microsoft 365 is used in conformance with data protection law.” Microsoft immediately responded to the DPC’s assessment by publishing a statement of its own. On 1 January 2023, Microsoft took action to further improve data protection by issuing a new DPA and an updated list of subcontractors, as well as launching the EU Data Boundary as a contractual solution for a European Microsoft Cloud. We welcomed these measures as a very positive development.
Current status: reassessment by the DPC
The German data protection authorities have since acknowledged that the criticism they voiced on 25 November 2022 is no longer tenable in view of the numerous (positive) changes which have been made since then. They have accordingly decided, as is evident from the recently published minutes to their 1st Interim Conference of 2023, that a reassessment of the legal situation is required. The reassessment will focus on the Microsoft EU Data Boundary as a European solution for Microsoft Cloud, as well as the DPA of 1 January 2023. The DPC’s “Microsoft Online Services” working group has been assigned to perform the reassessment. Its findings really should be presented by the 105th Data Protection Conference on 10 and 11 May 2023, but this has yet to occur and it is currently unclear when we can expect them.
Outlook: impact on data protection for Microsoft 365
It remains to be seen how the data protection authorities will assess the measures taken by Microsoft. There is reason to fear that the authorities will once again reach a negative conclusion, but considering that the measures taken by Microsoft are very far-reaching, and that some of them go well beyond the industry standard, a different outcome does not appear to be out of the question. Therefore, users should be looking forward to this process and to the recently announced guide for the use of Microsoft products, and should not be concerned about a conflict with the data protection authorities. There is no need for controllers to take any specific actions in response to the recent developments, other than general measures to ensure the conformity of Microsoft 365 with data protection law.
back