The use of Micro­soft 365 in France

The Ger­man data pro­tec­tion super­vi­so­ry aut­ho­ri­ties are known to be cri­ti­cal of the use of Micro­soft 365. Howe­ver, not least becau­se of the full har­mo­ni­sa­ti­on of the GDPR, the voices of other data pro­tec­tion super­vi­so­ry aut­ho­ri­ties are also rele­vant in data pro­tec­tion assess­ments. In this respect, it is par­ti­cu­lar­ly inte­res­t­ing to look across the bor­der at France.

French govern­ment reli­es on its own cloud solutions

In a cir­cu­lar dated 15 Sep­tem­ber 2021, the inter-ministerial direc­tor for the digi­ti­sa­ti­on of the sta­te urged French aut­ho­ri­ties to stop rely­ing on Micro­soft 365 for digi­ti­sa­ti­on of minis­tries becau­se of pos­si­ble access by US intel­li­gence agen­ci­es. The use of Micro­soft 365 was alle­gedly not com­pa­ti­ble with the French “cloud doc­tri­ne”. Unvei­led in May 2021, the doc­tri­ne aims to migra­te French admi­nis­tra­ti­ve ope­ra­ti­ons to the cloud, though not to Micro­soft. Ins­tead, solu­ti­ons deve­lo­ped by the French sta­te or cer­ti­fied with the “SecNum­Cloud” label by the French cyber­se­cu­ri­ty aut­ho­ri­ty are to be used.

Fol­lo­wing a par­lia­men­ta­ry ques­ti­on, the French Minis­ter of Edu­ca­ti­on also recent­ly com­men­ted on Micro­soft 365 at edu­ca­tio­nal insti­tu­ti­ons. The par­lia­men­ta­ry ques­ti­on from an MP was actual­ly aimed at the issue of whe­ther ver­si­ons of the respec­ti­ve cloud pro­ducts pro­vi­ded free of char­ge by Micro­soft (but also Goog­le) for edu­ca­tio­nal insti­tu­ti­ons might not con­sti­tu­te a dis­tor­ti­on of com­pe­ti­ti­on. Ins­tead of ela­bo­ra­ting on this issue, the respon­si­ble minis­ter sta­ted that the edu­ca­tio­nal insti­tu­ti­ons are being asked not to use the respec­ti­ve solutions.

No expli­cit deter­mi­na­ti­on by the CNIL

Howe­ver, both of the afo­re­men­tio­ned cases mere­ly reflect the poli­ti­cal view of the French govern­ment and, with the minis­tries and edu­ca­tio­nal insti­tu­ti­ons, also refer to indi­vi­du­al­ly deli­mi­t­ed are­as. The respon­si­ble French data pro­tec­tion super­vi­so­ry aut­ho­ri­ty, the Com­mis­si­on Natio­na­le de l’In­for­ma­tique et des Liber­tés (CNIL), has not yet issued a gene­ral state­ment on the use or data pro­tec­tion com­pli­ance of Micro­soft 365. Howe­ver, in an infor­ma­ti­ve let­ter dated 27 May 2021, in respon­se to the ECJ’s “Schrems II” Ruling, the CNIL recom­men­ded that uni­ver­si­ties use pro­ducts from Euro­pean ven­dors. At the same time, howe­ver, the CNIL stres­sed that a tran­si­ti­on peri­od was jus­ti­fied due to the chal­lenges posed by the pan­de­mic and to main­tain edu­ca­tio­nal and rese­arch projects.


The CNIL has not yet taken an expli­cit posi­ti­on against the use of Micro­soft 365 in France and has not made a final data pro­tec­tion assess­ment. It is striking that all comm­ents, some of which date back seve­ral years, refer signi­fi­cant­ly to the repea­led ade­quacy decis­i­on on the EU-US Pri­va­cy Shield. In the mean­ti­me, howe­ver, Micro­soft has made num­e­rous chan­ges to its order pro­ces­sing agree­ment and has begun imple­men­ting the EU Data Boun­da­ry. In addi­ti­on, a new Exe­cu­ti­ve Order from the US Pre­si­dent has ente­red into force and an ade­quacy decis­i­on from the EU Com­mis­si­on on the Trans-Atlantic Data Pri­va­cy Frame­work can be expec­ted soon. Con­se­quent­ly, the basis of the assess­ment at that time has chan­ged dra­ma­ti­cal­ly and a reas­sess­ment is requi­red. Accor­ding to our infor­ma­ti­on, the CNIL is likely to take a new posi­ti­on on this issue in the fore­seeable future.


Stay up-to-date

We use your email address exclusively for sending our newsletter. You have the right to revoke your consent at any time with effect for the future. For further information, please refer to our privacy policy.