Using Microsoft 365 in a GDPR-compliant manner — feasible or wishful thinking?
Microsoft and data protection — Is there a viable path between data collection and European legislation?
Update (24.08.2023):
As things stand, the use of Microsoft Teams based on the Data Privacy Framework — the current data protection agreement between the EU and the USA — is considered legally secure. However, as Austrian lawyer and data protection activist Max Schrems has already announced that he will challenge the agreement, the legal situation may change again at any time.
Original text:
In 2010, Office 365 (now Microsoft 365) was presented by Microsoft as an official successor to the Business Productivity Online Suite (BPOS). After its release in 2011, the suite has now grown to become the industry standard in working software with almost 345 million private and business users worldwide. Just create a Word document, share an Excel spreadsheet or design a PowerPoint presentation — all of this is now commonplace.
Understandable, because the benefits are manifold. In this way, synchronizing documents ensures optimal collaboration between colleagues. Changes can be made in real time from anywhere. Meetings about the latest work results can also be easily held using the Microsoft Teams application. The widespread use of the Microsoft 365 Suite also ensures compatibility with other companies worldwide. But the benefits also come at a price.
Since the General Data Protection Regulation (GDPR) came into force on May 24, 2016, companies in the EU must take a very close look at which software is being used. Because many applications make compromises when it comes to data protection. What seemed okay before can now result in significant penalties. This is compounded by the fact that the legal situation regarding data protection largely allows room for interpretation, which sometimes leads to a trial & error for companies that are trying to find a viable path. With every new application used, the question quickly arises: “Are we complying with the guidelines of the GDPR? ”
Big Brother is watching you
Since the ECJ's court ruling in the Schrems II case, it has become clear that the Privacy Shield, which should ensure secure data transmission between the EU and the USA, is not sufficient to adequately protect the data of EU citizens. This is due to several US laws. The Foreign Intelligence Surveillance Act (FISA) legitimizes surveillance of non-US citizens outside the United States by domestic intelligence agencies. The FISA was also modified by Patriot Act and the Freedom Act. Although the latter has ensured that US authorities no longer have direct access to data from telecommunications companies, this obliges companies to store all data and release it at the request of the US authorities. The so-called CLOUD Act obliges US telecommunications companies to also release data that is stored outside the United States. This unrestricted collection of data is in direct conflict with the GDPR.
Some US companies rely on standard contractual clauses that guarantee better data protection. However, these clauses are virtually ineffective as they are simply undermined by US laws. Many companies also advertise to host their servers and applications within the EU and thus guarantee supposedly better data protection. And in fact, there is also a difference to hosting in the USA. As a result of the change of location, there is no longer any direct data transfer to a third country. Accordingly, the requirements for protection and documentation requirements are also lower. But this is where the CLOUD Act comes in and undermines the GDPR.
Microsoft reacted to this critical data protection situation a few years ago and, in cooperation with Deutsche Telekom, tried to set up data centers in Magdeburg and Frankfurt am Main, which are operated exclusively by Deutsche Telekom and from which no data can therefore flow abroad. However, the high data protection standard in Germany proved to be a double-edged sword for Microsoft. Because while the data was running safely and securely on German servers, technical problems, such as delays or crashes due to security-relevant mechanisms, the comparatively higher prices and the resulting customer dissatisfaction finally led Microsoft to officially discontinue the project in 2021.
So what options remain for German companies? How can Microsoft 365 be used in compliance with data protection regulations despite all this? Is that even possible or do alternatives have to be found?
Microsoft data octopus
Microsoft 365 collects personal and other critical data and sends it to Microsoft servers without being asked, without this being apparent to the user at first glance. This unauthorized transfer causes a breach of data protection in accordance with EU guidelines and, in the worst case, can result in economic damage of several million euros for the company and result in a significant loss of image. However, it is possible to prevent many unauthorized data transfers and thus minimize the risk of a data breach. But to do this, you first need to know how the data is collected and sent to the USA or other critical locations. A distinction must be made between different data and the type of collection:
functional data
In order for Microsoft 365 to function properly, functional data is collected, which is processed as part of the Online Service Terms, including an order data processing contract. The data is deleted immediately after it has been made available.
content data
Microsoft also processes the content created with the Microsoft 365 suite, but only as part of service provision. The online service teams also define that the use of data for purposes other than providing it is prohibited.
diagnostic data
It is becoming more difficult when it comes to diagnostic data. In doing so, Microsoft collects data that can be used to uniquely identify users. The duration of use of the Office application and the event ID are also tracked.
Diverse data through connected experiences
In addition to functions such as spelling help, where Microsoft acts as a processor, the Connected Experiences offer other features that are not covered by the order processing agreement. This collected data is used by Microsoft for marketing and personalization purposes, among other things. Features such as 3D Maps, Smart Lookup and the Office Store represent a corresponding data risk and do not comply with the so-called “Privacy by Default”, which the GDPR sets in Article 25 paragraph 2. It is clear that a lot of data will end up migrating to Microsoft. A good strategy is therefore to switch off all functions that involve a high level of data transfer but are not absolutely required. With Connected Experiences, for example, it is now possible to switch off individual functions. As a result, a significant flow of data can be cut off to the outside world.
Is there another leak?
In order to check which data is forwarded to external servers after all features that are not absolutely necessary have been switched off, it is advisable to carry out an appropriate analysis. As things stand, the transfer of data is not completely avoidable. After the result is available, you can use a data protection impact assessment to decide to what extent the remaining risk for your own company and your own employees and customers is justifiable. Sharing the IP addresses of employees can initially be a justifiable risk, as this does not cause any real damage for now. Even the individual company profiles that are created in Microsoft 365 do not initially pose a high risk. However, it is important that all employees have been informed of the transfer and have also given their explicit consent (preferably in writing).
To provide greater security, data should be encrypted whenever possible. Microsoft itself offers encryption, but it is advisable to use your own encryption because that way no one else has access to the data — not even Microsoft. Encryption, for example, can simply be automated using company policies.
Separating data also helps to reduce risk. It is advisable to consider which data really needs to be stored in the Microsoft cloud and which doesn't. Things such as payslips and personal details about employees should be stored locally or in a German or European cloud to achieve a sufficient level of data protection.
Furthermore, an annual re-approval is recommended, as Microsoft is constantly updating the various applications and adding and changing functions. As far as the CLOUD Act is concerned, it is also possible to come to the conclusion that the risk is low because, on the one hand, the secret services do not routinely request access to data and they also need a court order.
Documentation for greater safety
Every single step towards using Microsoft 365 in compliance with GDPR as possible must be precisely documented in order to be prepared for any audits or other checks. This is how the basis for discussion of”You are using Microsoft 365, which is not GDPR-compliant at all“Towards”Yes, we use Microsoft 365 and have taken all necessary measures to keep the risk as low as possible! ” be postponed.
Following a corresponding data protection impact assessment by an external service provider, the Dutch Ministry of Justice and Security also came to the conclusion that the use of Office 365 ProPlus version 1905 can be used in such a way that data protection is complied with. However, it was also found that the web and mobile versions do not meet data protection criteria and should therefore not be used.
Can Microsoft 365 be used in accordance with the GDPR as it stands today?
Microsoft's Microsoft 365 suite from Microsoft has many pitfalls and obstacles when it comes to GDPR-compliant use. However, it is possible to avoid many of them by preventing and deactivating functions. Data encryption and active data separation also provide greater security.
As part of a risk impact assessment, however, it remains a discretionary decision as to whether you want to use the software or not. An authority, for example, generally stores and processes more personal data than a medium-sized company.
In addition, there are still discrepancies in the interpretation of the laws. Because even though a private service provider, on behalf of the Dutch Ministry of Justice and Security, decides that Microsoft 365 can be operated in compliance with GDPR with appropriate settings and restrictions, Baden-Württemberg's State Commissioner for Data Protection and Freedom of Information sees things differently again. In order to ensure greater clarity and transparency here, legislators urgently need to make improvements.
But things may soon be easier: On June 3, 2022, a draft law was presented in the USA which is intended to significantly tighten data protection in the country. It is not yet certain whether the proposed draft of the GDPR can even comply with the GDPR. A few points are currently a topic of discussion. But with regard to the efforts of the EU and the USA to make data transfer possible, there is still the possibility that things could become easier in the future.
This specialist article does not constitute legal advice. We are not responsible for any damage.
Dr. Moritz Liebeknecht
IP Dynamics GmbH
Billstraße 103
D-20539 Hamburg