Lower Saxony's data protection authority considers Office 365 "highly critical." Is it? We say no.

Stefan Hessel

Status quo

Numerous reports and product warnings have been issued about Microsoft Office 365 and other collaboration and video conferencing platforms since the start of the pandemic, unsettling companies and other users. The office of the Commissioner for Data Protection of the Federal State of Lower Saxony (only in German) announced this week that it considers use of Office 365 to be "highly critical" and urgently advised against using the program from the viewpoint of data protection law. In the past, the Conference of Independent Federal and State Data Protection Authorities (DSK) (only in German) had also examined the question as to whether Office 365 can be used in accordance with data protection law in the public and non-public sector. In an extremely tight 9-8 decision, it found based on the reviewed documents that "at least as of January 2020, Microsoft Office 365 cannot be used in a manner which conforms to data protection law." Since then, supervisory authorities have been in discussions with Microsoft in an effort to address data protection concerns. To our knowledge, the authorities have not undertaken any additional measures, such as e.g. prohibiting data processing with Office 365, and such orders appear to be highly unlikely while the discussions are ongoing. This conclusion is also supported by a press release from Lower Saxony's data protection authority stressing that it has "not yet issued any such order or prohibition." (only in German)

Meanwhile, Office 365 continues to be used in schools. The office of the Commissioner for Data Protection and Freedom of Information for the Federal State of Hesse had previously stated that toleration of the use of all video systems which fail to meet all of the requirements of data protection law would expire on 31 July 2021 (only in German), but has now announced that tolerance of these products will be extended until further notice following a delay in the process for awarding a new contract (only in German). On a fundamental level, Minister-President Tobias Hans of the Federal State of Saarland recently criticized the idea of banning functional digital technologies due to data privacy concerns (only in German) and called for easing requirements in data protection law so as to allow for their use.

Criticism by the data protection authority of Lower Saxony

In its recent press release, the criticism expressed by the Lower Saxony data protection authority were mainly focused on two aspects. First, it stressed that the processing agreements with Microsoft are problematic. But unfortunately, it remains unclear what exactly the authority means by this and whether its criticism goes beyond the comments made by DSK about earlier versions of the agreements (only in German). Lower Saxony's data protection authority also criticizes the background transfer of telemetry data, for which there is currently no legal basis, according to the authority. In this case as well, it is unclear whether the authority's criticism goes beyond the aspects concerning the processing of telemetry data which have already been cited by DSK, which related primarily to use of Office 365 by public authorities (only in German).

We can therefore state that the recent press release from Lower Saxony's data protection authority gives no indication of any new criticism of Office 365 in terms of data protection law. As a result, companies in the process of evaluating use of Office 365 may continue to use last year's DSK resolution when incorporating the position of the supervisory authorities into their data protection analysis, even though this resolution has itself drawn significant criticism from some of the supervisory authorities (only in German).

Can they do that?

The GDPR does not authorize supervisory bodies to conduct general product evaluations and doing so with no legal basis could expose them to numerous damage claims from affected manufacturers. A preliminary DSK opinion (only in German) concludes that there may be legal basis for the authorities' previous evaluations and product warnings if those actions are classified as measures to promote public awareness in accordance with Article 57(1) of the GDPR. But it remains questionable whether the principles of objectivity and accuracy were satisfied in each individual case (only in German). The most prominent example of these actions during the pandemic were those concerning the video conferencing service Zoom. On the whole, a cautious approach on the part of the supervisory authorities would be welcome in light of the enormous impact of product warnings (only in German) and the threat of damage claims in case of misconduct by the authorities.

What do we advise companies?

Given that the regulatory situation is still unclear and unsettled, companies are advised to closely examine their use of Office 365. In doing so, however, they should not attach too more importance to the opinions and statements of individual supervisory authorities, particularly those which do not present concrete criticism. Whether or not Office 365 and other collaboration and video conferencing services comply with data protection law should be evaluated based on the GDPR and the applicable case law. In particular, the requirements arising from the ECJ's "Schrems II" decision should be heeded in this context. The conduct of this evaluation should be documented by the company in each case, and all individual options for adapting to the requirements should be exhausted, with the assistance of technical experts if necessary.

Please contact our Digital Business Unit at any time if you have any further questions relating to data protection with Office 365 or other collaboration or video conferencing services.

[July 2021]