When it comes to data protection with Microsoft 365, in addition to data transfers to the USA , the processing of telemetry and diagnostic data is often criticised. Occasionally, it is even claimed that data protection law prohibits Microsoft from using data for its own business purposes. These FAQs are intended to dispel such myths and support responsible parties who use Microsoft 365 or are planning to introduce it in a privacy-compliant manner.
- What is telemetry and diagnostic data?
Telemetry data are any data collected by telemetry that, despite pseudonymisation, may contain information that identifies an individual user. Therefore, telemetry data are at least partially personal data. Part of telemetry data is diagnostic data, which contains information about the devices used and the performance of the applications used. A distinction must be made between optional and essential diagnostic data. While the processing of optional diagnostic data can be disabled by the customer, this is not possible for the diagnostic data necessary for essential services. Necessary diagnostic data in particular are therefore the focus of criticism under data protection law. - For what purposes does Microsoft process these data?
In accordance with the Data Protection Addendum (DPA) , Microsoft processes data for its own business activities . This includes, in particular, billing and account management, compensation, internal reporting and business modeling, combating fraud, cybercrime or cyberattacks, improving core service functionality, and financial reporting and compliance with legal obligations. In a statement dated 11 August 2022 , Microsoft explicitly clarifies: “Diagnostic data are necessary to keep products and services running safely and stably.” - Does Microsoft’s data processing violate data processing agreements?
No. The data processing when using Microsoft 365 and the data processing for Microsoft’s own business activities are separate processing operations that must be considered individually according to the legal rulings of the ECJ. With the DPA, the parties clarify that Microsoft acts as a controller with respect to processing for its own business activities and that this processing operation is not part of job data processing. The DPA is not a mere data processing agreement, but also contains further information and declarations on data protection. In our view, Microsoft is thus also taking into account the criticism of the German Data Protection Conference (Datenschutzkonferenz, DSK) regarding unclear responsibilities under data protection law and preventing possible misunderstandings. - Is Microsoft solely responsible or is there joint responsibility?
Prerequisite for joint responsibility is the joint determination of the purposes and means of a processing operation, which is affirmed in part on the basis of the DPA agreement. Publicly, this view has so far only been adopted in the June 2019 Data Protection Impact Assessment (DSFA) on Office 365 ProPlus by the Dutch Ministry of Justice regarding legacy Microsoft contracts. However, in the 2022 DSFA on Microsoft Teams, OneDrive, SharePoint, and Azure AD , the Dutch Ministry of Justice takes this view only in a significantly weakened form. The DSK, on the other hand, affirms Microsoft’s sole responsibility in its 2020 position paper . Microsoft’s sole responsibility is also supported by a guideline issued by the data protection authority of North Rhine-Westphalia on online examinations at universities . In it, the authority argues that the processing of transport and metadata in so-called “mixed services” (e.g., video conferencing services with a document management system) is not job data processing, but is the sole responsibility of the service provider and subject to telecommunications secrecy. In a sample letter from the Baden-Württemberg data protection authority on Microsoft Office 365, the authority explicitly leaves the question of responsibilities open. A uniform line of the German and European data protection supervisory authorities is currently not perceptible. - Is there any data disclosure to Microsoft?
This is also controversial. In some cases, however, it is argued that disclosure should already exist because customers do not prevent Microsoft from processing data, thus passively opening an opportunity for Microsoft to collect the data. This line of argument seems to be followed, albeit without further justification, by the model letter of the data protection supervisory authority of Baden-Württemberg and the position paper of the DSK . The preferred view, however, is that disclosure requires positive action by the controller, so the mere opportunity for data collection by Microsoft does not establish disclosure by customers. The concept of data processing by omission is alien to the GDPR and must be rejected as contrary to the system. - Assuming disclosure, what is the legal basis?
While companies and other non-public entities could base disclosure on a legitimate interest, public entities are barred from doing so. The latter can at most refer to the performance of a necessary task that is in the public interest. Regulators tend to dismiss this with a blanket reference to all Microsoft business activities identified in the DPA. More correctly, however, differentiated advice must be given with regard to specific business activities.
Practical recommendation
Microsoft 365 is technically extremely complex and offers a wide range of options for processing personal data. A blanket statement on data protection compliance is therefore not possible. Instead, depending on the specific use, it must be examined for which purposes personal data are processed with Microsoft 365 and what legal bases can be used for the processing in each case. Based on the specific use, possible risks to data privacy and appropriate remedial measures should also be identified and implemented. We have had very good experience with this approach in numerous implementation projects.
back