The Datenschutzkonferenz (DSK), the Conference on Data Protection in Germany, unveiled, on November 25, the result of a working group formed two years ago on compliance with the General Data Protection Regulation of the cloud service of Microsoft 365. Verdict? Insufficient effort.
The German authorities regret a lot of vagueness in the contracts
One of the main results of the German report reasons on the other bank of the Rhine. In mid-November, the Minister of National Education by NDiaye excluded the use of the free Microsoft 365 offer on the cloud, in French schools. Many of the recriminations expressed by the minister are reflected in the German report.
The working group launched in September 2020 brought together several German data management authorities, the equivalent of the CNILs at the federal or Länder level, the regions. Microsoft was also able to participate with a view to resolving the issues raised. The American company has, moreover, updated his contracts two years later to address German concernsinsufficient according to the text of the DSK (PDF).
Several criticisms are leveled at Microsoft, mainly the vagueness maintained in its formulations. For instance, the company would not indicate in detail how the data is processedwhich would make this treatment non-evaluable. Same vagueness on the data that Microsoft would consider legitimate to keep for its own activities. The question of the data retention and deletion policy is also raised. The working group believes that the September 2022 amendment did not bring ” substantial improvements » on these points.
One of the subjects addressed by the working group raises the question of the transfer of personal data of German and more generally European customers of Microsoft 365 on the cloud, to the United States. Since the end of the Privacy Shields in 2020, a legal problem arises for all digital companies transferring European data across the Atlantic.
Microsoft is no exception, the European Data Protection Board has already launched an investigation into this, also including AWS, Amazon’s cloud service. DSK text confirms that Microsoft 365 cannot operate without data transfer to the United States.
He also believes that encrypting the data is impossible for the company. Regulators admit that in this regard they ” have so far failed to identify additional safeguards that could lead to the legality of data export “. Microsoft has committed to localizing a portion of its regional customer data in the European Union, initially by the end of 2022, but that doesn’t seem to be the case yet. Negotiations are underway between Washington and Brussels to find a successor to the Privacy Shields, but there is no evidence that it will not itself be quickly overturned by the Court of Justice of the European Union.
Microsoft denies point by point
Contacted by TechCrunchwho spotted the DSK press release, the American company responded to be ” respectfully disagree with the concerns raised by the Datenschutzkonferenz and have already implemented many suggested changes to our data protection terms “. Microsoft also recalled having cooperated with the DSK and ” although we disagree with the DSK report, we are committed to addressing the remaining concerns “.
The working group convened by the DSK was not intended to comprehensively study any flaws in Microsoft’s GDPR compliance. The result of the study does not imply the launch of a procedure in the immediate future. However, it could inspire the launch of a future investigation. According TechCrunch, the Irish data protection authority, in charge of matters related to Microsoft, the company having its European headquarters in Dublin, has no proceedings in progress. Microsoft 365 Cloud, on the other hand, is attacked on the competition level. OVH and other companies in the industry believe that the professional software suite is used to gain a competitive advantage in the market. On this point also, the American company denies.