Microsoft 365: Can organizations still meet their accountability obligation?

The Conference of German Supervisory Authorities has rejected a GDPR-compliant use of Microsoft 365. In France, there is also disapproval from the Ministry of Education.

On 25 November 2022, the DSK published a statement on "Microsoft Online Services" with a summary of the results of an audit, the detailed report of which was in turn published on 7 December 2022. In this report, the DSK concludes that “​the proof of controllers to operate Microsoft 365 in compliance with data protection law [...] cannot be provided”, as required by Art. 5 (2) General Data Protection Regulation (GDPR). This result is consistent with an initial assessment from September 2020, according to which "the use of Microsoft 365 is not possible under data protection law”.

Although the current statement of the DSK does not represent a compelling form of action from a supervisory authority, such as the prior examinations from Berlin and Baden-Württemberg, the states’ 17 supervisory authorities are very likely to follow this assessment with action – after all, they were involved in the decision-making process during the conference.

Almost in parallel to the developments in Germany, the French Ministry of Education has also stated on 15 November 2022 in the context of an enquiry as to whether Microsoft would have a competitive advantage due to the free provision of Microsoft 365 for schools, that it could not be used in a data protection-compliant manner anyway - at least in schools.

Basis of the DSK’s audit

For its audit, the DSK used the current “Microsoft Product and Services Data Protection Addendum” (DPA) of 15 September 2022 as a basis and examined in detail whether the deficiencies identified two years ago have been remedied in the meantime. In the DSK’s view, however, there were “​no significant improvements” for the most part.

However, the DSK emphasises that only the DPA served as a basis for the audit and no audit was carried out regarding

• the entire set of agreements as well as
• the actual processing.

The result: Microsoft 365 is inadmissible under data protection law

The DSK first states that “controllers must be able to meet their accountability obligation under Art. 5 (2) GDPR at all times”​. For Microsoft 365, however, controllers would not be able to meet this obligation, as essentially

• the DPA would be non-transparent, as it remains unclear
  • which processing activities take place in detail and
  • which processing activities are carried out for Microsoft's own purposes, and
• “​a use without transferring personal data to the USA is not possible”.

Specifically, the DPA criticises that “​no significant improvements” were made in the DPA regarding the specification of the nature and purpose of the processing as well as the types of data processed. Improvements would remain necessary, which Microsoft could fulfil, for example, if it would align its agreement to Annex II of the Standard Contractual Clauses (SCCs) or attach a detailed record of processing activities.

In addition, it remains “unclear" which data Microsoft is processing for its own purposes and on what legal basis. This would apply in particular to telemetry and diagnostic data, which would be processed “on a large scale”.

Furthermore, the right to issue instructions under Art. 28 (3) (1) (a) GDPR would be restricted, as far-reaching disclosures would be reserved by contract, which would not be in line with Art. 48 GDPR.

Moreover, it would not be compliant with the GDPR that the technical and organisational measures do not cover all data, but only customer data of core online services and professional services.

Although the DSK admits that Microsoft has improved the information on sub-processors, the template provided only contains information on general planned changes, but not on concrete planned changes. Also, only the sub-processor’s activities and the location of the sub-processor's registered office are stated, but not the sub-processor's name, address and contact person.

Crucially, however, the DSK cites the inadmissible transfer of data to the US under Schrems-II as reason for the unlawfulness of Microsoft 365. Microsoft's planned “EU Data Boundary” and the relocation of data processing to the EU appears helpful but will only be implemented in the future and would not yet be sufficiently concrete. The US “Executive Order on Enhancing Safeguards for United States Signals Intelligence Activities” of 7 October 2022 and the new draft adequacy decision published after the statements publication on 13 December 2022 were not taken into account by the DSK. However, it remains to be seen whether and to what extent the upcoming Trans-Atlantic Data Privacy Framework may change the DSK’s position.

Practical impact

Microsoft itself published its own statement on the same day, in which it opposes the DSK - as expected. The authorities are nevertheless expected to carry out detailed audits of companies using Microsoft 365.

While the DSK’s statement does not mean that Microsoft 365 can no longer be used in any case, controllers should not rely exclusively on Microsoft to take action in this regard. Instead, they should undertake their own efforts to analyse and mitigate the risk of using Microsoft 365 to avoid significant risks such as administrative fines or damage claims, for example by:

• Reviewing options to process personal data on data centres in the EU and to avoid third-country data transfers;
• Adjusting the preferences, e.g. by deactivating the usability enhancement and reducing the diagnostic data;
• Carrying out a detailed data protection impact assessment (DPIA); and
• Documenting all steps taken in this regard.