Deploying Microsoft 365 in a GDPR-compliant manner – feasible or wishful thinking?

Pro­fes­sional Arti­cle

In 2010, Office 365 (now Microsoft 365) was intro­duced by Microsoft as the offi­cial suc­ces­sor to the Busi­ness Pro­duc­tiv­ity Online Suite (BPOS). Fol­low­ing its release in 2011, the suite has since grown to become the indus­try stan­dard in work soft­ware, with nearly 345 mil­lion per­sonal and busi­ness users world­wide. Quickly cre­at­ing a Word doc­u­ment, shar­ing an Excel spread­sheet or design­ing a Pow­er­Point pre­sen­ta­tion – it’s all becom­ing rou­tine.

Under­stand­ably so, since the advan­tages are man­i­fold. For exam­ple, the syn­chro­niza­tion of doc­u­ments ensures opti­mal col­lab­o­ra­tion between col­leagues. Changes can be made in real time from any­where. Meet­ings about the lat­est work results can also be eas­ily real­ized via the Microsoft Teams appli­ca­tion. The wide­spread use of the Microsoft 365 Suite also ensures com­pat­i­bil­ity with other com­pa­nies around the world. How­ever, the advan­tages also come at a price.

Since the Gen­eral Data Pro­tec­tion Reg­u­la­tion (GDPR) came into effect on May 24, 2016, com­pa­nies in the EU have had to take a very close look at which soft­ware is being used. Because many appli­ca­tions make com­pro­mises when it comes to data pro­tec­tion. What seemed fine before can now result in sig­nif­i­cant penal­ties. To make mat­ters worse, the legal sit­u­a­tion in terms of data pro­tec­tion leaves a great deal of room for inter­pre­ta­tion, which in some cases leads to trial and error for com­pa­nies try­ing to find a viable path. Thus, with every newly used appli­ca­tion, a ques­tion quickly arises: ” Do we still com­ply with the guide­lines of the GDPR?”

Big Brother is watch­ing you

At the lat­est since the ECJ’s rul­ing in the Schrems II case, it has become clear that the Pri­vacy Shield, which was sup­posed to ensure secure data trans­fer between the EU and the US, is not suf­fi­cient to ade­quately pro­tect the data of EU cit­i­zens. This is due to sev­eral U.S. laws. The For­eign Intel­li­gence Sur­veil­lance Act (FISA) legit­imizes the sur­veil­lance of non-U.S. cit­i­zens out­side the United States by domes­tic intel­li­gence agen­cies. FISA has been fur­ther mod­i­fied by the Patriot Act and the Free­dom Act. The lat­ter has ensured that U.S. author­i­ties no longer have direct access to the data of telecom­mu­ni­ca­tions com­pa­nies, but it obliges the com­pa­nies to store all data and to hand it over upon request by the U.S. author­i­ties. The CLOUD Act also requires U.S. telecom­mu­ni­ca­tions com­pa­nies to hand over data stored out­side the United States. This unre­stricted data col­lec­tion is in direct con­flict with the GDPR.

Some U.S. com­pa­nies rely on stan­dard con­trac­tual clauses that guar­an­tee bet­ter data pro­tec­tion. How­ever, these clauses are vir­tu­ally inef­fec­tive because they are sim­ply under­mined by U.S. laws. Also, many com­pa­nies adver­tise that they host their servers and appli­ca­tions within the EU and thus guar­an­tee sup­pos­edly bet­ter data pro­tec­tion. And in fact, there is also a dif­fer­ence with host­ing in the US. The change in loca­tion means that there is no longer any direct data trans­fer to a third coun­try. Accord­ingly, the require­ments for pro­tec­tion and the doc­u­men­ta­tion oblig­a­tion are also lower. But this is where the CLOUD Act takes effect and under­mines the GDPR.

Microsoft reacted to this crit­i­cal data pro­tec­tion sit­u­a­tion a few years ago and, in coop­er­a­tion with Deutsche Telekom, attempted to set up data cen­ters in Magde­burg and Frank­furt am Main that are oper­ated exclu­sively by Deutsche Telekom and from which no data can there­fore flow abroad. How­ever, the high data pro­tec­tion stan­dard in Ger­many proved to be a double-​edged sword for Microsoft. While the data ran safely and securely on Ger­man servers, tech­ni­cal prob­lems such as delays or crashes due to security-​related mech­a­nisms, the com­par­a­tively higher prices, and the result­ing cus­tomer dis­sat­is­fac­tion ulti­mately led to Microsoft offi­cially dis­con­tin­u­ing the project in 2021.

So what options remain for euro­pean com­pa­nies? How can Microsoft 365 be used in a data protection-​compliant man­ner despite all of this? Is this even pos­si­ble, or do alter­na­tives have to be found?

Data leech Microsoft

Microsoft 365 col­lects per­sonal and other crit­i­cal data and sends it to Microsoft servers with­out being asked and with­out this being appar­ent to the user at first glance. This unau­tho­rized trans­fer ensures a breach of data pro­tec­tion in accor­dance with EU guide­lines and, in the worst case, can lead to eco­nomic dam­age of sev­eral mil­lion euros for the com­pany, as well as being accom­pa­nied by a sig­nif­i­cant image loss.

How­ever, there is a way to pre­vent many unau­tho­rized data trans­fers and thus min­i­mize the risk of a data pro­tec­tion breach. But to do so, you first need to know how data is gath­ered and sent to the U.S. or other crit­i­cal loca­tions.

It is impor­tant to dis­tin­guish between dif­fer­ent types of data and how they are col­lected:

Func­tional data

In order for Microsoft 365 to func­tion prop­erly, func­tional data is col­lected and processed as part of the online ser­vice term, includ­ing the order data pro­cess­ing agree­ment. The data is deleted again directly after deploy­ment.

Con­tent data

Microsoft also processes con­tent cre­ated with the Microsoft 365 suite, but only as part of the ser­vice pro­vi­sion. The Online Ser­vice Teams also define that the use of the data for pur­poses other than pro­vi­sion­ing is pro­hib­ited.

Diag­nos­tic data

Things get more dif­fi­cult when it comes to diag­nos­tic data. Here, Microsoft col­lects data that can be used to uniquely iden­tify users. The dura­tion of use of the Office appli­ca­tion and the event ID are also tracked.

Diverse data through Con­nected Expe­ri­ences

The Con­nected Expe­ri­ences pro­vide fea­tures, such as Spell Help, where Microsoft acts as a proces­sor, as well as other fea­tures that are not cov­ered by the pro­cess­ing agree­ment. This col­lected data is used by Microsoft for mar­ket­ing and per­son­al­iza­tion pur­poses, among oth­ers. Thus, fea­tures such as 3D Maps, Smart Lookup and the Office Store pose a cor­re­spond­ing data risk and do not com­ply with the so-​called “Pri­vacy by Default”, which the GDPR stip­u­lates in Art. 25(2).

What is cer­tain is that a lot of data will end up migrat­ing to Microsoft. A good strat­egy is there­fore to switch off all func­tions that are asso­ci­ated with a high data trans­fer but are not absolutely nec­es­sary. For Con­nected Expe­ri­ences, for exam­ple, it is now pos­si­ble to switch off indi­vid­ual func­tions. This can cut off a con­sid­er­able flow of data to the out­side world.

Is there still a leak?

In order to check which data will be for­warded to exter­nal servers after deac­ti­vat­ing all fea­tures that are not absolutely nec­es­sary, it is advis­able to per­form a cor­re­spond­ing analy­sis. As things stand, the trans­fer of data can­not be com­pletely avoided. Once the result is avail­able, a data pri­vacy impact assess­ment can be used to decide to what extent the remain­ing risk to the com­pany and its own employ­ees and cus­tomers is accept­able. An accept­able risk may ini­tially be the trans­fer of the IP addresses of employ­ees, since this does not cause any real dam­age. The indi­vid­ual com­pany pro­files that are cre­ated in Microsoft 365 also do not ini­tially rep­re­sent a high risk. How­ever, it is impor­tant that all employ­ees have been informed of the data trans­fer and have explic­itly agreed to it (prefer­ably in writ­ing).

To pro­vide more secu­rity, all data should be encrypted, if pos­si­ble. Microsoft itself offers encryp­tion, but it is rec­om­mended to use your own encryp­tion, because this way nobody else has access to the data – not even Microsoft. Encryp­tion can, for exam­ple, sim­ply be auto­mated via com­pany poli­cies.

Data sep­a­ra­tion also helps to reduce the risk. It’s wise to con­sider what data really needs to be stored in the Microsoft cloud and what doesn’t. Things like pay rolls and per­sonal details about employ­ees are bet­ter stored locally or in a euro­pean cloud to achieve a suf­fi­cient level of data pro­tec­tion.

Fur­ther­more, an annual re-​audit is rec­om­mended, as Microsoft is always updat­ing the var­i­ous appli­ca­tions as well as adding and chang­ing fea­tures.

As far as the CLOUD Act is con­cerned, it is quite pos­si­ble to con­clude that the risk is low here as well, since the intel­li­gence agen­cies do not rou­tinely request access to data, for one thing, and they also require a court order.

Doc­u­men­ta­tion for more secu­rity

Every sin­gle step towards han­dling Microsoft 365 in the most DSGVO-​compliant man­ner pos­si­ble must be doc­u­mented in detail in order to be pre­pared for any audits or other reviews. In this way, the basis for dis­cus­sion can be shifted from “You are using Microsoft 365, that’s not GDPR-​compliant at all” to “Yes, we are using Microsoft 365 and have taken all nec­es­sary mea­sures to keep the risk as low as pos­si­ble!“.

The Dutch Min­istry of Jus­tice and Secu­rity also con­cluded, after a cor­re­spond­ing data pro­tec­tion impact assess­ment by an exter­nal ser­vice provider, that the use of Office 365 Pro­Plus ver­sion 1905 can be deployed in a way that com­plies with data pro­tec­tion. How­ever, it also found that the web and mobile ver­sions do not meet the data pro­tec­tion cri­te­ria and should there­fore not be used.

Can Microsoft 365 be used in a GDPR-​compliant man­ner as things stand today?

The Microsoft 365 Suite from Microsoft has many pit­falls and obsta­cles with regard to GDPR-​compliant use. How­ever, it is pos­si­ble to cir­cum­vent many of them by pre­vent­ing and dis­abling func­tions. Encryp­tion of data and active data sep­a­ra­tion also pro­vide more secu­rity.

As part of a risk assess­ment, how­ever, it remains a dis­cre­tionary deci­sion whether or not to have the soft­ware in use. A pub­lic author­ity, for exam­ple, usu­ally stores and processes more per­sonal data than a medium-​sized com­pany.

In addi­tion, there are still incon­sis­ten­cies in the inter­pre­ta­tion of the law. Even if a pri­vate ser­vice provider com­mis­sioned by the Dutch Min­istry of Jus­tice and Secu­rity finds that Microsoft 365 can be oper­ated in com­pli­ance with the GDPR with the appro­pri­ate set­tings and restric­tions, the State Com­mis­sioner for Data Pro­tec­tion and Free­dom of Infor­ma­tion of Baden-​Württemberg already sees things dif­fer­ently. In order to pro­vide more clar­ity and trans­parency here, the leg­is­la­tor urgently needs to make improve­ments.

How­ever, things may soon get a lot eas­ier: on June 3, 2022, a draft bill was pre­sented in the U.S. that is intended to tighten up data pro­tec­tion in the coun­try by quite a bit. Whether the draft pre­sented can even do jus­tice to the GDPR is not yet cer­tain. Some points are cur­rently caus­ing dis­cus­sion. How­ever, with regard to the efforts of the EU and the USA to enable data trans­fer, there is still the pos­si­bil­ity that some things could become eas­ier in the future.

This pro­fes­sional arti­cle does not con­sti­tute legal advice. We take no lia­bil­ity for any dam­ages.