The Datenschutzkonferenz (DSK), the conference on data protection in Germany, revealed on November 25 the result of a working group set up two years ago on compliance with the General Data Protection Regulation for the cloud service Microsoft 365. Verdict? Insufficient effort.
The German authorities regret many ambiguities in the contracts
One of the most important findings of the German report justifies on the other side of the Rhine. In mid-November, the Minister of National Education at NDiaye ruled out the use of the free Microsoft 365 offer on the cloud in French schools. Many of the reproaches expressed by the minister are reflected in the German report.
The working group launched in September 2020 brought together several German data management authorities, equivalent to the CNILs at federal or state level, the regions. Microsoft was also able to participate in order to resolve the issues raised. The American company also has updated its contracts two years later to address German concernsinsufficient according to the text of the DSK (PDF).
Several points of criticism are leveled at Microsoft, mainly the vagueness maintained in its wording. E.g, the company will not specify in detail how the data is processedwhich would make this treatment non-evaluable. Same vagueness about the data that Microsoft would consider it legitimate to keep for own activities. The question of the data retention and deletion policy is also raised. The working group believes that the change from September 2022 did not result in ” significant improvements » on these points.
One of the topics addressed by the working group raises the issue of the transfer of personal data from German and more generally European customers of Microsoft 365 on the cloud to the United States. Since the end of Privacy Shields in 2020, a legal problem has arisen for all digital companies transferring European data across the Atlantic.
Microsoft is no exception, the European Data Protection Board has already launched an investigation into this, including AWS, Amazon’s cloud service. DSK text confirms that Microsoft 365 cannot function without data transfer to the US.
He also believes that encryption of data is impossible for the company. Regulatory authorities admit that in this regard they ” has so far failed to identify additional safeguards that may lead to the legality of data export “. Microsoft has committed to localizing part of its regional customer data in the EU, initially by the end of 2022, but that doesn’t seem to be the case yet. Negotiations are underway between Washington and Brussels to find a successor to Privacy Shields, but there is no evidence that it will not itself be quickly overturned by the European Court of Justice.
Microsoft rejects point by point
Contacted by TechCrunchwho saw the DSK press release, the American company replied to be ” respectfully disagree with the concerns raised by the Datenschutzkonferenz and have already implemented many proposed changes to our data protection terms “. Microsoft also recalled having collaborated with DSK and ” While we disagree with the DSK report, we are committed to addressing the remaining concerns “.
The working group convened by DSK did not intend to thoroughly investigate any shortcomings in Microsoft’s GDPR compliance. The result of the investigation does not imply the launch of a procedure in the near future. However, it may inspire the launch of a future study. According to TechCrunch, the Irish data protection authority responsible for matters related to Microsoft, the company with its European headquarters in Dublin, has no pending cases. Microsoft 365 Cloud, on the other hand, is under attack on a competitive level. OVH and other companies in the industry believe that the professional software package is used to gain a competitive advantage in the market. On this point, too, the American company rejects.