Regulators and Microsoft express their views
On 25 November 2022, the Data Protection Conference (DSK), the body of independent German federal and state data protection supervisory authorities, published an opinion on Microsoft 365. The opinion is the result of a series of joint discussions between DSK and Microsoft, following DSK’s initial assessment of Microsoft Office 365 (now: Microsoft 365). After DSK came to the conclusion in 2020 that “no use of Microsoft Office 365 is possible under data protection law”, only “minor improvements” are now said to be discernible. In this article, we present and evaluate the main points of contention. At the end, you can download a detailed comparison of the positions and our assessment.
Evaluation by DSK
The basis of DSK’s current assessment is the Microsoft Products and Services Data Protection Addendum (“DPA”) as amended on 15 September 2022. DSK emphasises that, in addition to the evaluation of the contractual framework, no technical examination of the processing operations or evaluation of the implementation of the contractual arrangements has taken place. The main points of criticism include non-transparent processing of data by Microsoft for its own purposes in the view of the DSK, as well as the transfer of data to the United States, whereby the new Executive Order of the US President of 7 October 2022 has expressly not yet found its way into the assessment.
Statement by Microsoft
Microsoft already reacted to the DSK assessment on the same day by publishing its own statement. In it, the company states that Microsoft 365 products “not only meet, but often exceed, strict EU data protection laws”. According to the company, the concerns expressed by DSK do not adequately take into account the changes already made and are based on several misunderstandings regarding the functioning of the services.
Comparison of the main statements
Here you can find our initial assessment of the DSK’s statement. In this report, we came to the conclusion that it is still possible to use Microsoft 365 in a manner that complies with data protection requirements. The following comparison of the main diverging statements from the two opinions is also intended to provide guidance for the (legal) evaluation of the use of Microsoft 365. You can find our one-page report on data protection compliance with Microsoft 365 here.back