On 25 November 2022, the German Data Protection Conference (Datenschutzkonferenz, DSK), the body of independent German federal and state data protection supervisory authorities, published an opinion on Microsoft 365, resulting in a determination by the DSK that “it is not possible to demonstrate that data controllers operate Microsoft 365 in compliance with data protection law […]” Microsoft reacted to the DSK assessment on the same day by publishing its own statement. In this article, we outlined the main points of contention and compared and legally evaluated the positions of the players involved. Microsoft has done a lot since then. It’s now time for an update!
Microsoft 365 privacy update
After the DSK had initially only published a summary of its statement, the final report of the DSK “Microsoft Online Services” working group was subsequently also made available. The final report enables a detailed discussion of the individual points of criticism made by the authorities. In addition, some German data protection supervisory authorities have announced that they will now approach data controllers in public bodies and companies to check compliance with data protection requirements when using Microsoft 365. Microsoft has published a new Products and Services Data Protection Addendum (DPA) and an updated list of sub-processors used, effective 1 January 2023. In addition, Microsoft has launched the EU Data Boundary for the Microsoft Cloud, a European cloud solution for public agencies and enterprises, since the beginning of this year. The details of what has changed and how these changes affect the question of a data-protection-compliant use of Microsoft 365 can be found here.
For the time being, whether and how the data protection supervisory authorities will react to Microsoft’s improvements remains to be seen. With comprehensive documentation and assessment of risks, as well as appropriate mitigation measures, GDPR-compliant use of Microsoft 365 can be well justified for both public bodies and enterprises. Controversial discussions with the data protection supervisory authorities will then not have to be feared by data controllers.
You can find our one-page report on data protection compliance with Microsoft 365 here.back