Data pro­tec­tion with Micro­soft 365

Regu­la­tors and Micro­soft express their views

On 25 Novem­ber 2022, the Data Pro­tec­tion Con­fe­rence (DSK), the body of inde­pen­dent Ger­man fede­ral and sta­te data pro­tec­tion super­vi­so­ry aut­ho­ri­ties, published an opi­ni­on on Micro­soft 365. The opi­ni­on is the result of a series of joint dis­cus­sions bet­ween DSK and Micro­soft, fol­lo­wing DSK’s initi­al assess­ment of Micro­soft Office 365 (now: Micro­soft 365). After DSK came to the con­clu­si­on in 2020 that “no use of Micro­soft Office 365 is pos­si­ble under data pro­tec­tion law”, only “minor impro­ve­ments” are now said to be dis­cer­ni­ble. In this artic­le, we pre­sent and eva­lua­te the main points of con­ten­ti­on. At the end, you can down­load a detail­ed com­pa­ri­son of the posi­ti­ons and our assessment.

Eva­lua­ti­on by DSK

The basis of DSK’s cur­rent assess­ment is the Micro­soft Pro­ducts and Ser­vices Data Pro­tec­tion Adden­dum (“DPA”) as amen­ded on 15 Sep­tem­ber 2022. DSK empha­si­s­es that, in addi­ti­on to the eva­lua­ti­on of the con­trac­tu­al frame­work, no tech­ni­cal exami­na­ti­on of the pro­ces­sing ope­ra­ti­ons or eva­lua­ti­on of the imple­men­ta­ti­on of the con­trac­tu­al arran­ge­ments has taken place. The main points of cri­ti­cism include non-transparent pro­ces­sing of data by Micro­soft for its own pur­po­ses in the view of the DSK, as well as the trans­fer of data to the United Sta­tes, wher­eby the new Exe­cu­ti­ve Order of the US Pre­si­dent of 7 Octo­ber 2022 has express­ly not yet found its way into the assessment.

State­ment by Microsoft

Micro­soft alre­a­dy reac­ted to the DSK assess­ment on the same day by publi­shing its own state­ment. In it, the com­pa­ny sta­tes that Micro­soft 365 pro­ducts “not only meet, but often exceed, strict EU data pro­tec­tion laws”. Accor­ding to the com­pa­ny, the con­cerns expres­sed by DSK do not ade­qua­te­ly take into account the chan­ges alre­a­dy made and are based on seve­ral misun­derstan­dings regar­ding the func­tio­ning of the services.

Com­pa­ri­son of the main statements

Here you can find our initi­al assess­ment of the DSK’s state­ment. In this report, we came to the con­clu­si­on that it is still pos­si­ble to use Micro­soft 365 in a man­ner that com­pli­es with data pro­tec­tion requi­re­ments. The fol­lo­wing com­pa­ri­son of the main diver­ging state­ments from the two opi­ni­ons is also inten­ded to pro­vi­de gui­dance for the (legal) eva­lua­ti­on of the use of Micro­soft 365. You can find our one-page report on data pro­tec­tion com­pli­ance with Micro­soft 365 here.