In 2010, Office 365 (now Microsoft 365) was introduced by Microsoft as the official successor to the Business Productivity Online Suite (BPOS). Following its release in 2011, the suite has since grown to become the industry standard in work software, with nearly 345 million personal and business users worldwide. Quickly creating a Word document, sharing an Excel spreadsheet or designing a PowerPoint presentation – it’s all becoming routine.
Understandably so, since the advantages are manifold. For example, the synchronization of documents ensures optimal collaboration between colleagues. Changes can be made in real time from anywhere. Meetings about the latest work results can also be easily realized via the Microsoft Teams application. The widespread use of the Microsoft 365 Suite also ensures compatibility with other companies around the world. However, the advantages also come at a price.
Since the General Data Protection Regulation (GDPR) came into effect on May 24, 2016, companies in the EU have had to take a very close look at which software is being used. Because many applications make compromises when it comes to data protection. What seemed fine before can now result in significant penalties. To make matters worse, the legal situation in terms of data protection leaves a great deal of room for interpretation, which in some cases leads to trial and error for companies trying to find a viable path. Thus, with every newly used application, a question quickly arises: ” Do we still comply with the guidelines of the GDPR?”
Big Brother is watching you
At the latest since the ECJ’s ruling in the Schrems II case, it has become clear that the Privacy Shield, which was supposed to ensure secure data transfer between the EU and the US, is not sufficient to adequately protect the data of EU citizens. This is due to several U.S. laws. The Foreign Intelligence Surveillance Act (FISA) legitimizes the surveillance of non-U.S. citizens outside the United States by domestic intelligence agencies. FISA has been further modified by the Patriot Act and the Freedom Act. The latter has ensured that U.S. authorities no longer have direct access to the data of telecommunications companies, but it obliges the companies to store all data and to hand it over upon request by the U.S. authorities. The CLOUD Act also requires U.S. telecommunications companies to hand over data stored outside the United States. This unrestricted data collection is in direct conflict with the GDPR.
Some U.S. companies rely on standard contractual clauses that guarantee better data protection. However, these clauses are virtually ineffective because they are simply undermined by U.S. laws. Also, many companies advertise that they host their servers and applications within the EU and thus guarantee supposedly better data protection. And in fact, there is also a difference with hosting in the US. The change in location means that there is no longer any direct data transfer to a third country. Accordingly, the requirements for protection and the documentation obligation are also lower. But this is where the CLOUD Act takes effect and undermines the GDPR.
Microsoft reacted to this critical data protection situation a few years ago and, in cooperation with Deutsche Telekom, attempted to set up data centers in Magdeburg and Frankfurt am Main that are operated exclusively by Deutsche Telekom and from which no data can therefore flow abroad. However, the high data protection standard in Germany proved to be a double-edged sword for Microsoft. While the data ran safely and securely on German servers, technical problems such as delays or crashes due to security-related mechanisms, the comparatively higher prices, and the resulting customer dissatisfaction ultimately led to Microsoft officially discontinuing the project in 2021.
So what options remain for european companies? How can Microsoft 365 be used in a data protection-compliant manner despite all of this? Is this even possible, or do alternatives have to be found?
Data leech Microsoft
Microsoft 365 collects personal and other critical data and sends it to Microsoft servers without being asked and without this being apparent to the user at first glance. This unauthorized transfer ensures a breach of data protection in accordance with EU guidelines and, in the worst case, can lead to economic damage of several million euros for the company, as well as being accompanied by a significant image loss.
However, there is a way to prevent many unauthorized data transfers and thus minimize the risk of a data protection breach. But to do so, you first need to know how data is gathered and sent to the U.S. or other critical locations.
It is important to distinguish between different types of data and how they are collected:
Functional data
In order for Microsoft 365 to function properly, functional data is collected and processed as part of the online service term, including the order data processing agreement. The data is deleted again directly after deployment.
Content data
Microsoft also processes content created with the Microsoft 365 suite, but only as part of the service provision. The Online Service Teams also define that the use of the data for purposes other than provisioning is prohibited.
Diagnostic data
Things get more difficult when it comes to diagnostic data. Here, Microsoft collects data that can be used to uniquely identify users. The duration of use of the Office application and the event ID are also tracked.
Diverse data through Connected Experiences
The Connected Experiences provide features, such as Spell Help, where Microsoft acts as a processor, as well as other features that are not covered by the processing agreement. This collected data is used by Microsoft for marketing and personalization purposes, among others. Thus, features such as 3D Maps, Smart Lookup and the Office Store pose a corresponding data risk and do not comply with the so-called “Privacy by Default”, which the GDPR stipulates in Art. 25(2).
What is certain is that a lot of data will end up migrating to Microsoft. A good strategy is therefore to switch off all functions that are associated with a high data transfer but are not absolutely necessary. For Connected Experiences, for example, it is now possible to switch off individual functions. This can cut off a considerable flow of data to the outside world.
Is there still a leak?
In order to check which data will be forwarded to external servers after deactivating all features that are not absolutely necessary, it is advisable to perform a corresponding analysis. As things stand, the transfer of data cannot be completely avoided. Once the result is available, a data privacy impact assessment can be used to decide to what extent the remaining risk to the company and its own employees and customers is acceptable. An acceptable risk may initially be the transfer of the IP addresses of employees, since this does not cause any real damage. The individual company profiles that are created in Microsoft 365 also do not initially represent a high risk. However, it is important that all employees have been informed of the data transfer and have explicitly agreed to it (preferably in writing).
To provide more security, all data should be encrypted, if possible. Microsoft itself offers encryption, but it is recommended to use your own encryption, because this way nobody else has access to the data – not even Microsoft. Encryption can, for example, simply be automated via company policies.
Data separation also helps to reduce the risk. It’s wise to consider what data really needs to be stored in the Microsoft cloud and what doesn’t. Things like pay rolls and personal details about employees are better stored locally or in a european cloud to achieve a sufficient level of data protection.
Furthermore, an annual re-audit is recommended, as Microsoft is always updating the various applications as well as adding and changing features.
As far as the CLOUD Act is concerned, it is quite possible to conclude that the risk is low here as well, since the intelligence agencies do not routinely request access to data, for one thing, and they also require a court order.
Documentation for more security
Every single step towards handling Microsoft 365 in the most DSGVO-compliant manner possible must be documented in detail in order to be prepared for any audits or other reviews. In this way, the basis for discussion can be shifted from “You are using Microsoft 365, that’s not GDPR-compliant at all” to “Yes, we are using Microsoft 365 and have taken all necessary measures to keep the risk as low as possible!“.
The Dutch Ministry of Justice and Security also concluded, after a corresponding data protection impact assessment by an external service provider, that the use of Office 365 ProPlus version 1905 can be deployed in a way that complies with data protection. However, it also found that the web and mobile versions do not meet the data protection criteria and should therefore not be used.
Can Microsoft 365 be used in a GDPR-compliant manner as things stand today?
The Microsoft 365 Suite from Microsoft has many pitfalls and obstacles with regard to GDPR-compliant use. However, it is possible to circumvent many of them by preventing and disabling functions. Encryption of data and active data separation also provide more security.
As part of a risk assessment, however, it remains a discretionary decision whether or not to have the software in use. A public authority, for example, usually stores and processes more personal data than a medium-sized company.
In addition, there are still inconsistencies in the interpretation of the law. Even if a private service provider commissioned by the Dutch Ministry of Justice and Security finds that Microsoft 365 can be operated in compliance with the GDPR with the appropriate settings and restrictions, the State Commissioner for Data Protection and Freedom of Information of Baden-Württemberg already sees things differently. In order to provide more clarity and transparency here, the legislator urgently needs to make improvements.
However, things may soon get a lot easier: on June 3, 2022, a draft bill was presented in the U.S. that is intended to tighten up data protection in the country by quite a bit. Whether the draft presented can even do justice to the GDPR is not yet certain. Some points are currently causing discussion. However, with regard to the efforts of the EU and the USA to enable data transfer, there is still the possibility that some things could become easier in the future.
This professional article does not constitute legal advice. We take no liability for any damages.
