The German Data Protection Conference (DSK) – which consists of the German Federal Data Protection Authority and 16 state regulators – said that, given the lack of transparency around how Microsoft collects and processes personal data, as well as the potential for third-party access to it, the use of Office 365 is not legally compliant with the General Data Protection Regulation (GDPR).
A report by a DSK working group said that Vole did not disclose which processing operations or which processing operations are carried out on behalf of the customer or which are carried out for its own purposes.
“The contractual documents are not precise in this regard and do not allow for conclusive evaluation of processing, which may even be extensive, including for the company’s own purposes The use of personal data of the users (eg. employees or students) for the provider’s own purposes precludes the use of a processor in the public sector (especially at schools).”
This essentially means that, due to the lack of transparency, it is impossible for regulators to assess from the outside exactly what information Microsoft is collecting, and how it is using this data, making it unlawful to use under GDPR.
The report added the working group’s discussions with Microsoft confirmed that personal data would always be transferred to the US when Office 365 is used, claiming it was “not possible to use Microsoft 365 without transferring personal data to the USA”.
The DSK working group has been looking at how to improve Office 365 to ensure compliance with European data protection standards for two years, after Microsoft discontinued its German cloud offering in August 2018 and state regulators started flagging issues with the service. It has not had much luck.
While Voleagreed with the working group to make a number of changes to its systems, including adopting some of the European Commission’s SCCs and laying out in greater detail how it processes data, the changes were deemed insufficient by the DSK. These changes were detailed in an updated version of Microsoft’s Products and services data protection addendum.
Microsoft, however, contends that it is still possible for German schools to use Office 365 in a legally compliant manner and that its products “not only meet, but often exceed, the strict EU data protection laws”.
It said the DSK’s concerns do not adequately take into account changes the company has already made to its systems, and stem from “several misunderstandings” about how its services work.
“We take DSK’s demand for more transparency to heart. While our transparency standards already exceed those of most other providers in our sector, we are committed to becoming even better. In particular, as part of our planned EU data border, we will provide further documentation on our customers’ data flows and the purposes of processing in the interests of transparency. We will also provide more transparency about the locations and processing by sub-processors and Microsoft employees outside the EU.”
It added: “In the interests of greater transparency, we would appreciate the full report being released with the detailed responses and comments submitted to Microsoft’s DSK, but with appropriate redacting.”