The German data protection supervisory authorities are known to be critical of the use of Microsoft 365. However, not least because of the full harmonisation of the GDPR, the voices of other data protection supervisory authorities are also relevant in data protection assessments. In this respect, it is particularly interesting to look across the border at France.
French government relies on its own cloud solutions
In a circular dated 15 September 2021, the inter-ministerial director for the digitisation of the state urged French authorities to stop relying on Microsoft 365 for digitisation of ministries because of possible access by US intelligence agencies. The use of Microsoft 365 was allegedly not compatible with the French “cloud doctrine”. Unveiled in May 2021, the doctrine aims to migrate French administrative operations to the cloud, though not to Microsoft. Instead, solutions developed by the French state or certified with the “SecNumCloud” label by the French cybersecurity authority are to be used.
Following a parliamentary question, the French Minister of Education also recently commented on Microsoft 365 at educational institutions. The parliamentary question from an MP was actually aimed at the issue of whether versions of the respective cloud products provided free of charge by Microsoft (but also Google) for educational institutions might not constitute a distortion of competition. Instead of elaborating on this issue, the responsible minister stated that the educational institutions are being asked not to use the respective solutions.
No explicit determination by the CNIL
However, both of the aforementioned cases merely reflect the political view of the French government and, with the ministries and educational institutions, also refer to individually delimited areas. The responsible French data protection supervisory authority, the Commission Nationale de l’Informatique et des Libertés (CNIL), has not yet issued a general statement on the use or data protection compliance of Microsoft 365. However, in an informative letter dated 27 May 2021, in response to the ECJ’s “Schrems II” Ruling, the CNIL recommended that universities use products from European vendors. At the same time, however, the CNIL stressed that a transition period was justified due to the challenges posed by the pandemic and to maintain educational and research projects.
The CNIL has not yet taken an explicit position against the use of Microsoft 365 in France and has not made a final data protection assessment. It is striking that all comments, some of which date back several years, refer significantly to the repealed adequacy decision on the EU-US Privacy Shield. In the meantime, however, Microsoft has made numerous changes to its order processing agreement and has begun implementing the EU Data Boundary. In addition, a new Executive Order from the US President has entered into force and an adequacy decision from the EU Commission on the Trans-Atlantic Data Privacy Framework can be expected soon. Consequently, the basis of the assessment at that time has changed dramatically and a reassessment is required. According to our information, the CNIL is likely to take a new position on this issue in the foreseeable future.back