Data ProtectionCybersecurity & Risk Management

German data protection authorities criticize data protection at Microsoft 365

Datenschutz Microsoft 365
252x252_arthur_heydata_882dfef0fd_c07468184b.webp
Arthur
19.06.2023

Although Microsoft 365 is used worldwide, it is the subject of complaints, especially from German data protection authorities, due to concerns surrounding its transparency and documentation regarding the processing of personal data. The DSK's report draws a conclusive observation: “As long as, in particular, the necessary transparency about the processing of personal data from Microsoft's commissioned processing for its own purposes has not been established and its lawfulness has not been proven, this proof [of data protection-compliant use] cannot be provided.”

The good news is that we still see some potential for use. 

The processing of personal data

Microsoft 365 transfers a variety of usage data, including information about the devices you use, how you use them, and which apps and features you access. This data can help Microsoft improve its products and services - but raises privacy issues. For example, Microsoft can see what documents you're working on when you use the Office apps. According to DSK, it is still not clear which of the personal data is stored and processed and to what extent it is used by Microsoft.

Microsoft's response to criticism

Microsoft has expressed its commitment to collaborating closely with data protection authorities to address concerns regarding documentation and transparency. A spokesperson from Microsoft stated, "We are dedicated to ensuring that our M365 products not only comply with, but frequently surpass stringent EU data protection regulations. (...). Our endeavors to safeguard our customers' data set new standards in the market. We provide an array of tools and solutions that empower our global customers with greater control over their data." Microsoft acknowledges the significance of the doubts raised by the DSK and has expressed their intent to "further enhance the documentation regarding our customers' data flows and the purposes of processing" in forthcoming initiatives.

The future of Microsoft 365 in Germany

At present, the future of Microsoft 365 is uncertain. The data protection authorities have not yet reached a final decision on this matter - individual cases are also to be considered at this point. The view of the authorities has not yet been confirmed by the courts. However, if Microsoft is unable to provide the necessary documentation and transparency, it is possible that the software will be banned in Germany. This would be a severe blow to Microsoft, as Germany is one of the company's largest markets. It also raises the question as to what alternative services would be used in Germany in the future.

However, there is another side to the story: The authorities are demanding a level of detail from Microsoft in the contract documents that does not do justice to the technical complexity of the application. Simultaneously, it is not possible for Microsoft to map every use by users in the contract documents. Additionally, data protection authorities have expressed their reservation in recognizing the precise intentions pursued by Microsoft in terms of data processing for their internal objectives.

The stance of the authorities has yet to receive confirmation from the courts. Currently, the authorities have adopted strong positions, but we at heyData hold the belief that there are alternative perspectives to consider.