Microsoft 365 faces darkening GDPR compliance clouds after German report

Legal trouble may be brewing for Microsoft in the European Union, where an assessment by a working group of German data protection regulators that's spent around two years looking into a swathe of privacy concerns attached to its cloud-based 365 productivity products -- including by engaging directly with the tech giant to try to get it to fix compliance issues -- has found Microsoft has still not been able to resolve any of the compliance problems they've raised with it.

The working group's update could crank up pressure on Microsoft 365 customers in Germany -- and elsewhere in the European Union where the same data protection framework applies and other regulators are also investigating cloud services' General Data Protection Regulation (GDPR) compliance -- to reassess usage of its software and/or seek out less compliance-challenged alternatives.

The EU's data protection supervisor (EDPS), which oversees the bloc's own institutions' GDPR compliance, has been looking into the European Commission’s use of Microsoft Office 365 since May last year -- as well as probing EU bodies' use of Amazon's cloud services.

The European Data Protection Board (EDPB) also kicked off a related coordinated enforcement action in February that it said would focus on the public sector's use of cloud services -- which it said would take about a year to report, with the aim for the action to harmonize regulatory interventions in this area.

"Use of non-compliant ICT products and services by the public sector threatens the protection of personal data of all EU residents," the EDPS wrote in an update on its probe in April (which also does not appear to have concluded and finally reported yet). "Public sector bodies at national and EU level have a duty to lead by example, including when it comes to outsourcing and transfers of personal data within and outside the EEA [European Economic Area]."

Microsoft announced some changes to its cloud contact terms in Europe back in 2019, following an earlier warning by the EDPS raising serious concerns -- and after a Dutch ministry obtained some contractual changes and technical safeguards and settings in amended contracts it agreed with Microsoft that year after it requested changes -- but it remains to be seen how the data supervisor will assess GDPR compliance for use of its cloud services now.

For one thing, it's a more complicated situation for EU-US data transfers at present, in the wake of the July 2020 Schrems II CJEU ruling -- and still with no replacement transatlantic data transfers agreement formally adopted by the bloc.

German working group weighs in

The German working group's report is focused on assessing Microsoft 365's (née Microsoft Office 365) compliance with certain provisions of the pan-EU GDPR -- after an earlier assessment by a local regulator, in January 2020, found that "no data protection-compliant use of Microsoft Office 365 is possible."

Among the ongoing issues raised by the group are concerns over a lack of clarity and precision in Microsoft's contracts and processing for 365, and the legal base it claims to process data -- including for what it describes as "legitimate business purposes."

The working group said a central theme of the talks was trying to determine in which cases Microsoft acts as a data controller, which carries a more expansive set of responsibilities under EU data protection law (e.g., accountability obligations), and in which scenarios it's only a processor (as the 365 customer is the controller) -- but their summary concludes: "This could not be conclusively clarified."

They also query the viability of Microsoft relying on a "legitimate interest" ground as a legal base for processing data for its own purposes where 365 customers are public sector organizations like schools, with the group raising doubts that it can be applied in that context.

Their report also questions the sufficiency of additional technical and organizational measures added by Microsoft in response to concerns about the safety of exported data -- arguing that legal uncertainties remain over the claimed security measures, which it points out cover only a subset of personal data subject to the contract.

In a statement accompanying the report, the Datenschutzkonferenz (DSK) -- a steering body for Germany's decentralized application of data protection law -- said it's not possible for users of Microsoft's cloud-based software to demonstrate compliance in spite of a series of changes it made to its 365 contracts in a data protection addendum from September 2022, which are assessed as being only "minor improvements" compared to the problems identified.

Or, put another way, the group's conclusion is there's currently no way to use Microsoft 365 in compliance with the GDPR.

Summarizing their assessment of Microsoft's response to earlier compliance concerns, the group said it was not able to achieve "any significant improvements" in contract wording, regarding types and purposes of processing -- noting that comprehensive descriptions and details are still lacking.

While it has taken the view that contractual amendments made by Microsoft as a result of this regulatory engagement -- with regards to its own processing for so-called business activities (previously described in its contracts as "legitimate business purposes") -- are also superficial wording tweaks that do not bring any "substantial improvements."

On that, the report refers to a statement made by Microsoft that it has not actually made any adjustments to its processing activities. The group's assessment remains, therefore, that Microsoft continues to grant itself insufficiently limited rights for certain types of processing.

Microsoft's large-scale collection of telemetry and diagnostic data -- under what legal basis -- is another concern for the regulators, with the group suggesting the data is processed by Microsoft "fundamentally for self-interested purposes" -- which they point out is a particular challenge for public sector users of 365 to be able to justify under the GDPR.

Data transfers out of the EU are another area of focus, given ongoing legal uncertainties related to EU data exports to third countries like the U.S. (and the group points out it's not currently possible to use Microsoft 365 without data being processed in the U.S.). There are also concerns about legal issues arising as a result of U.S. laws like the Cloud Act and FISA 702 -- which could compel Microsoft to hand over customer data, which runs counter to EU privacy laws that require data to be adequately protected outside the bloc as well as within.

The working group points out that many 365 services require Microsoft to access customer data in the clear -- meaning the obvious fix of applying strong encryption is not regularly available in this cloud service context.

Microsoft's policies on retention and deletion of data also do not always meet the requirements set out in the GDPR, per the group's report.

They are also unimpressed by the level of notification and detail Microsoft provides to customers about subprocessors/subcontractors -- which is says falls below the specificity afforded in the updated Standard Contractual Clauses template provided by the European Commission last year.

Contacted for a response to the working group's criticisms, Microsoft sent us this statement:

“Microsoft 365 products meet the highest industry standards for the protection of privacy and data security. We respectfully disagree with the concerns raised by the Datenschutzkonferenz and have already implemented many suggested changes to our data protection terms. We remain committed to working with the DSK to address any remaining concerns.”

It also pointed to a blog post it published in German (the same statement is here in English translation) in which it expands on its claim of no EU privacy law concerns attached to Microsoft 365 products -- arguing that the DSK's concerns "do not appropriately reflect" changes it claims to have already undertaken and making a further assertion that the working group has misunderstood how its services operate and measures (and "significant changes") it says it's already implemented.

Microsoft gives examples of "an improved notification process for subprocessor changes" and "further clarifications" -- relative to its use of personal data for "business operations incident to providing services to our customers."

But its statement does appear to acknowledge the need for it to go further on transparency.

"Microsoft fully cooperated with the DSK, and while we disagree with the DSK’s report, we are committed to addressing remaining concerns," it writes, adding: "We take to heart the DSK’s push for greater transparency, and while our documentation and transparency practices exceed those of most others in our space, we commit to doing even better.

"Specifically, as part of our EU Data Boundary commitments, we will provide additional transparency documentation on customer data flows and the purposes of processing. We will also provide more transparency documentation on the processing and location by subprocessors and Microsoft employees outside of the EU."

The EU Data Boundary refers to a pledge made by Microsoft in May last year to localize regional cloud customers' data in the EU -- as a response to the legal uncertainty that's clouded transatlantic data transfers for years (most recently since the July 2020 so-called Schrems II decision by the bloc's top court, which struck down the EU-US Privacy Shield arrangement).

The tech giant's attempt to deflect German regulators' concerns leans heavily on a couple of things that don't actually exist yet -- with Microsoft referencing "important" changes incoming via an agreement for a new data transfer deal between the EU and the U.S., which it suggests the DSK’s report "fails to reflect" -- claiming the expected deal will "provide greater privacy protections for data flows between the EU and U.S."

The thing is, that data transfer deal has only been agreed politically for now -- and the EDPB has made it clear it cannot apply legally until it is formally adopted by EU lawmakers (which is not expected to happen until next year).

Microsoft's EU Data Boundary also isn't yet up and running -- although it previously said it would be operational by the end of 2022.

But even if that does land soon, it's not clear whether data localization will fix all of Microsoft's woes here -- given, for example, the US Cloud Act can reach data that's stored outside the U.S.

It will also not be 100% data localization, with some data exports remaining "necessary," per Microsoft. So, again, it does not sound like a panacea.

Microsoft's statement referenced above links to a second (seven-page) statement, which it has made available only in German and which it says offers a "more detailed" response to some of the issues raised.

In this expanded statement (which we've translated using machine translation), Microsoft offers a point-by-point rebuttal to the DSK's concerns and also claims the EU Data Boundary will "significantly reduce" data flows outside Europe and boost transparency by providing "detailed documentation on remaining, necessary data flows."

The document also goes on the attack, accusing "some" German regulators of interpreting GDPR in what it couches as an "excessively risk-averse manner" -- which Microsoft claims "overburdens and paralizes those responsible" as a result of "excessive expectations of accountability."

It will be up to the EU's regulators to determine whether anything Microsoft argues can really fix the raft of legal issues that keep surfacing over its cloud services' compliance with GDPR -- or whether it's just more bluster from a data-mining tech giant that's being called out for excessive and unlawful access to customer data and, therefore, whether more substantial reforms will be required before Microsoft will be the "safe" choice for IT procurers in the EU in the future.

Following the German working group's statement, data protection experts in Europe have been calling for pan-EU enforcement over the problems identified by regulators -- and questioning why Microsoft cannot apply meaningful limits on customer data processing, given it previously agreed to drop processing for business activities in government and public sector contracts agreed in the Netherlands, for example.

This content is not available due to your privacy preferences.
Update your settings here to see it.

Microsoft's lead data protection authority in the EU is Ireland's Data Protection Commission -- which would be responsible for leading any pan-EU enforcement of the GDPR against the company.

However, the DPC told TechCrunch it does not currently have any open inquiries into Microsoft, so it appears more likely that regional enforcement of cloud compliance concerns will be pushed through via decentralized (but coordinated) attention to public sector contracts Microsoft has inked around the bloc by regulators in different member states. Which sounds like, well, the kind of messy, multipronged, resource-draining enforcement nightmare for itself and customers of Microsoft 365 the company should really be doing everything it can to avoid...