Data Pro­tec­tion Con­fe­rence beg­ins reas­sess­ment of Micro­soft 365

At the start of the year, Micro­soft published a new ver­si­on of its Pro­ducts and Ser­vices Data Pro­tec­tion Adden­dum (DPA), signal­ling the offi­ci­al launch of the EU Data Boun­da­ry as the Euro­pean solu­ti­on for the Micro­soft Cloud. The Ger­man data pro­tec­tion aut­ho­ri­ties have deci­ded to re-evaluate Micro­soft 365 in light of the­se chan­ges. Alt­hough the out­co­me of this pro­cess is still unclear and con­trol­lers are not requi­red to take any spe­ci­fic actions at this time, the resump­ti­on of the review pro­ce­du­re will have an impact on data pro­tec­tion for Micro­soft 365.

Back­ground: the DPC’s criticism

The Data Pro­tec­tion Con­fe­rence (DPC), a body com­po­sed of inde­pen­dent fede­ral and sta­te data pro­tec­tion aut­ho­ri­ties in Ger­ma­ny, issued a state­ment con­cer­ning Micro­soft 365 on 25 Novem­ber 2022. In this state­ment, the aut­ho­ri­ties con­cluded that “con­trol­lers are unable to demons­tra­te that Micro­soft 365 is used in con­for­mance with data pro­tec­tion law.” Micro­soft imme­dia­te­ly respon­ded to the DPC’s assess­ment by publi­shing a state­ment of its own. On 1 Janu­ary 2023, Micro­soft took action to fur­ther impro­ve data pro­tec­tion by issuing a new DPA and an updated list of sub­con­trac­tors, as well as laun­ching the EU Data Boun­da­ry as a con­trac­tu­al solu­ti­on for a Euro­pean Micro­soft Cloud. We wel­co­med the­se mea­su­res as a very posi­ti­ve deve­lo­p­ment.

Cur­rent sta­tus: reas­sess­ment by the DPC

The Ger­man data pro­tec­tion aut­ho­ri­ties have sin­ce ack­now­led­ged that the cri­ti­cism they voi­ced on 25 Novem­ber 2022 is no lon­ger tenable in view of the num­e­rous (posi­ti­ve) chan­ges which have been made sin­ce then. They have accor­din­gly deci­ded, as is evi­dent from the recent­ly published minu­tes to their 1st Inte­rim Con­fe­rence of 2023, that a reas­sess­ment of the legal situa­ti­on is requi­red. The reas­sess­ment will focus on the Micro­soft EU Data Boun­da­ry as a Euro­pean solu­ti­on for Micro­soft Cloud, as well as the DPA of 1 Janu­ary 2023. The DPC’s “Micro­soft Online Ser­vices” working group has been assi­gned to per­form the reas­sess­ment. Its fin­dings real­ly should be pre­sen­ted by the 105th Data Pro­tec­tion Con­fe­rence on 10 and 11 May 2023, but this has yet to occur and it is curr­ent­ly unclear when we can expect them.

Out­look: impact on data pro­tec­tion for Micro­soft 365

It remains to be seen how the data pro­tec­tion aut­ho­ri­ties will assess the mea­su­res taken by Micro­soft. The­re is reason to fear that the aut­ho­ri­ties will once again reach a nega­ti­ve con­clu­si­on, but con­side­ring that the mea­su­res taken by Micro­soft are very far-reaching, and that some of them go well bey­ond the indus­try stan­dard, a dif­fe­rent out­co­me does not appear to be out of the ques­ti­on. The­r­e­fo­re, users should be loo­king for­ward to this pro­cess and to the recent­ly announ­ced gui­de for the use of Micro­soft pro­ducts, and should not be con­cer­ned about a con­flict with the data pro­tec­tion aut­ho­ri­ties. The­re is no need for con­trol­lers to take any spe­ci­fic actions in respon­se to the recent deve­lo­p­ments, other than gene­ral mea­su­res to ensu­re the con­for­mi­ty of Micro­soft 365 with data pro­tec­tion law.


Stay up-to-date

We use your email address exclusively for sending our newsletter. You have the right to revoke your consent at any time with effect for the future. For further information, please refer to our privacy policy.