Lower Saxony’s data pro­tec­tion aut­ho­ri­ty con­siders Office 365 “high­ly cri­ti­cal.” Is it? We say no.

Sta­tus quo

Num­e­rous reports and pro­duct war­nings have been issued about Micro­soft Office 365 and other col­la­bo­ra­ti­on and video con­fe­ren­cing plat­forms sin­ce the start of the pan­de­mic, unsett­ling com­pa­nies and other users. The office of the Com­mis­sio­ner for Data Pro­tec­tion of the Fede­ral Sta­te of Lower Sax­o­ny (only in Ger­man) announ­ced this week that it con­siders use of Office 365 to be “high­ly cri­ti­cal” and urgen­tly advi­sed against using the pro­gram from the view­point of data pro­tec­tion law. In the past, the Con­fe­rence of Inde­pen­dent Fede­ral and Sta­te Data Pro­tec­tion Aut­ho­ri­ties (DSK) (only in Ger­man) had also exami­ned the ques­ti­on as to whe­ther Office 365 can be used in accordance with data pro­tec­tion law in the public and non-public sec­tor. In an extre­me­ly tight 9–8 decis­i­on, it found based on the review­ed docu­ments that “at least as of Janu­ary 2020, Micro­soft Office 365 can­not be used in a man­ner which con­forms to data pro­tec­tion law.” Sin­ce then, super­vi­so­ry aut­ho­ri­ties have been in dis­cus­sions with Micro­soft in an effort to address data pro­tec­tion con­cerns. To our know­ledge, the aut­ho­ri­ties have not under­ta­ken any addi­tio­nal mea­su­res, such as e.g. pro­hi­bi­ting data pro­ces­sing with Office 365, and such orders appear to be high­ly unli­kely while the dis­cus­sions are ongo­ing. This con­clu­si­on is also sup­port­ed by a press release from Lower Saxony’s data pro­tec­tion aut­ho­ri­ty stres­sing that it has “not yet issued any such order or pro­hi­bi­ti­on.” (only in German)

Mean­while, Office 365 con­ti­nues to be used in schools. The office of the Com­mis­sio­ner for Data Pro­tec­tion and Free­dom of Infor­ma­ti­on for the Fede­ral Sta­te of Hes­se had pre­vious­ly sta­ted that tole­ra­ti­on of the use of all video sys­tems which fail to meet all of the requi­re­ments of data pro­tec­tion law would expi­re on 31 July 2021 (only in Ger­man), but has now announ­ced that tole­rance of the­se pro­ducts will be exten­ded until fur­ther noti­ce fol­lo­wing a delay in the pro­cess for awar­ding a new con­tract (only in Ger­man). On a fun­da­men­tal level, Minister-President Tobi­as Hans of the Fede­ral Sta­te of Saar­land recent­ly cri­ti­ci­zed the idea of ban­ning func­tion­al digi­tal tech­no­lo­gies due to data pri­va­cy con­cerns (only in Ger­man) and cal­led for easing requi­re­ments in data pro­tec­tion law so as to allow for their use.

Cri­ti­cism by the data pro­tec­tion aut­ho­ri­ty of Lower Saxony

In its recent press release, the cri­ti­cism expres­sed by the Lower Sax­o­ny data pro­tec­tion aut­ho­ri­ty were main­ly focu­sed on two aspects. First, it stres­sed that the pro­ces­sing agree­ments with Micro­soft are pro­ble­ma­tic. But unfort­u­na­te­ly, it remains unclear what exact­ly the aut­ho­ri­ty means by this and whe­ther its cri­ti­cism goes bey­ond the comm­ents made by DSK about ear­lier ver­si­ons of the agree­ments (only in Ger­man). Lower Saxony’s data pro­tec­tion aut­ho­ri­ty also cri­ti­ci­zes the back­ground trans­fer of tele­me­try data, for which the­re is curr­ent­ly no legal basis, accor­ding to the aut­ho­ri­ty. In this case as well, it is unclear whe­ther the authority’s cri­ti­cism goes bey­ond the aspects con­cer­ning the pro­ces­sing of tele­me­try data which have alre­a­dy been cited by DSK, which rela­ted pri­ma­ri­ly to use of Office 365 by public aut­ho­ri­ties (only in German).

We can the­r­e­fo­re sta­te that the recent press release from Lower Saxony’s data pro­tec­tion aut­ho­ri­ty gives no indi­ca­ti­on of any new cri­ti­cism of Office 365 in terms of data pro­tec­tion law. As a result, com­pa­nies in the pro­cess of eva­lua­ting use of Office 365 may con­ti­nue to use last year’s DSK reso­lu­ti­on when incor­po­ra­ting the posi­ti­on of the super­vi­so­ry aut­ho­ri­ties into their data pro­tec­tion ana­ly­sis, even though this reso­lu­ti­on has its­elf drawn signi­fi­cant cri­ti­cism from some of the super­vi­so­ry aut­ho­ri­ties (only in German).

Can they do that?

The GDPR does not aut­ho­ri­ze super­vi­so­ry bodies to con­duct gene­ral pro­duct eva­lua­tions and doing so with no legal basis could expo­se them to num­e­rous dama­ge claims from affec­ted manu­fac­tu­r­ers. A preli­mi­na­ry DSK opi­ni­on (only in Ger­man) con­cludes that the­re may be legal basis for the aut­ho­ri­ties’ pre­vious eva­lua­tions and pro­duct war­nings if tho­se actions are clas­si­fied as mea­su­res to pro­mo­te public awa­re­ness in accordance with Artic­le 57(1) of the GDPR. But it remains ques­tionable whe­ther the prin­ci­ples of objec­ti­vi­ty and accu­ra­cy were satis­fied in each indi­vi­du­al case (only in Ger­man). The most pro­mi­nent exam­p­le of the­se actions during the pan­de­mic were tho­se con­cer­ning the video con­fe­ren­cing ser­vice Zoom. On the who­le, a cau­tious approach on the part of the super­vi­so­ry aut­ho­ri­ties would be wel­co­me in light of the enorm­ous impact of pro­duct war­nings (only in Ger­man) and the thre­at of dama­ge claims in case of mis­con­duct by the authorities.

What do we advi­se companies?

Given that the regu­la­to­ry situa­ti­on is still unclear and unsett­led, com­pa­nies are advi­sed to clo­se­ly exami­ne their use of Office 365. In doing so, howe­ver, they should not attach too more importance to the opi­ni­ons and state­ments of indi­vi­du­al super­vi­so­ry aut­ho­ri­ties, par­ti­cu­lar­ly tho­se which do not pre­sent con­cre­te cri­ti­cism. Whe­ther or not Office 365 and other col­la­bo­ra­ti­on and video con­fe­ren­cing ser­vices com­ply with data pro­tec­tion law should be eva­lua­ted based on the GDPR and the appli­ca­ble case law. In par­ti­cu­lar, the requi­re­ments ari­sing from the ECJ’s “Schrems II” decis­i­on should be hee­ded in this con­text. The con­duct of this eva­lua­ti­on should be docu­men­ted by the com­pa­ny in each case, and all indi­vi­du­al opti­ons for adap­ting to the requi­re­ments should be exhaus­ted, with the assis­tance of tech­ni­cal experts if necessary.

Plea­se cont­act our Digi­tal Busi­ness Unit at any time if you have any fur­ther ques­ti­ons rela­ting to data pro­tec­tion with Office 365 or other col­la­bo­ra­ti­on or video con­fe­ren­cing services.


Stay up-to-date

We use your email address exclusively for sending our newsletter. You have the right to revoke your consent at any time with effect for the future. For further information, please refer to our privacy policy.