European Commission violates GDPR – reviving the debate on the use of Microsoft 365?

Microsoft 365 is a perennial favourite in the data protection discourse. For many years, the supervisory authorities have criticised the use of the product. The reason for this is the accusation of insufficient compliance with data protection regulations. In our Data Protection Update No. 125 at the end of 2022, we reported on the opinion of the Conference of Independent Federal and State Data Protection Authorities ("DSK"), which deemed Microsoft 365 to be unlawful for several reasons. The Berlin Commissioner for Data Protection and Freedom of Information even came to the conclusion back in 2020 that a legally compliant use of Microsoft 365 was not possible; we reported on this in Data Protection Update No. 80.

The topic has now been taken up again at international level by the European Data Protection Supervisor ("EDPS"). As a result, there is a risk that the debate as a whole will flare up again and be placed on the agenda of the supervisory authorities.

Background

Specifically, the EDPS supervisory procedure concerns the use of Microsoft 365 by the European Commission. It uses Microsoft 365 for its internal communication. The use has been examined by the EDPS since May 2021. The audit was triggered by the Schrems II ruling of the ECJ on 16 July 2020 (case C-311/18), which overturned the EU-US Privacy Shield, which had previously legitimised data transfers to the USA.

The criticism of the EDPS

According to the EDPS report of 11 March 2024, the European Commission's use of Microsoft 365 violates European data protection law for several reasons.

The EDPS makes two main allegations: Firstly, the EU Commission has not prevented the unsafe transfer of data to countries outside the European Union ("third countries"). On the contrary, it has failed to ensure an adequate level of protection for personal data transferred via Microsoft 365 - in particular to the USA. According to the EDPS, Microsoft should have sufficiently reviewed the legislation of all third countries to ensure that Microsoft 365 does not transfer data to third countries in a way that is unauthorised under EU law.

Secondly, the exact data collected when using Microsoft 365 had not been determined. The data processing agreement ("DPA") between the European Commission and Microsoft therefore did not sufficiently specify what type of personal data was collected and which specific recipients received it. The processing purposes were also insufficiently specified, which in turn would have been necessary to assess the need for additional measures. In this respect, effective technical and organisational measures were not taken to ensure the integrity and confidentiality of the processing.

The EDPB's report reinforces the concerns already raised by the DSK in 2022: The German supervisory authorities also see and saw the data transfers to the USA as critical, as they were not possible without further protective measures and Microsoft was not taking appropriate protective measures. At the same time, the necessary transparency with regard to the handling of customer data was lacking due to inadequate disclosure of the specific processing taking place. This makes it more difficult for controllers to fulfil their accountability under data protection law in accordance with Art. 5 para. 2 GDPR. Furthermore, there are concerns regarding the unclear and contradictory implementation of the obligations to return and erase data under data protection law in the DPA.

Counterarguments from Microsoft

Microsoft itself considers Microsoft 365 to be compliant with data protection regulations. This emerges from a statement published by the company in 2022 in response to the DSK's assessment. According to Microsoft's argumentation, no excessive requirements should be placed on the obligations of data controllers. Otherwise, this would block technical progress and digitalisation. In particular, it would be impractical for the accountability obligation under Art. 5 Para. 2 GDPR to be fulfilled by providing the customer with a complete description of every technical function of a data processing programme. According to its own statements, Microsoft fulfils the required standard of security and integrity of processing. Likewise, it is not legally required to exclude every residual risk in connection with data transfers to third countries, meaning that the current protective measures are sufficient.

Analysis

In contrast to the previous opinions, the EDPS report now contains a prohibition order for the first time. The Commission is instructed to suspend all processing operations that are related to third countries when using Microsoft 365 until 9 December 2024.

The core problem with the EDPB's ruling is that there is no legal basis for DPAs. The content requirements for DPAs are only incompletely derived from Art. 28 para. 3 GDPR. This naturally leads to legal uncertainty. On 24 August 2023, the State Commissioner for Data Protection of Lower Saxony, together with six other supervisory authorities, therefore published guidance on how DPAs should be structured when using Microsoft 365. In this guidance, the supervisory authorities set out in detail how they believe the corresponding DPAs should be drafted.

The EDPS ruling is a bizarre illustration of the existing legal uncertainties: the European Commission, which adopted the GDPR itself, is now in breach of it. In this respect, it remains to be seen how the European Commission will comply with the EDPS's requests by the end of the year and how the disputes surrounding Microsoft 365 will develop. The current dispute could also reignite the debate in this country.

The data protection risk associated with the use of Microsoft 365 must therefore continue to be emphasised both in consulting practice and in the context of corporate transactions. Whether the supervisory authorities will directly impose sanctions in the form of fines is questionable. They have refrained from doing so in the past. The practical risk is therefore low: experience from past supervisory authority and court proceedings has shown that it takes several years from the time data protection concerns about a product arise until they are penalised - especially in the case of software. In addition, Microsoft has always adequately responded to and implemented official requirements in the past. We should therefore wait and see what remedial measures Microsoft takes this time. The company has until 9 December 2024 to do so.

Recommended procedure for risk minimisation

As a residual risk remains, non-state actors are also well advised to accompany the use of Microsoft 365 with data protection risk minimisation measures. In our view, the most effective risk minimisation measures include, for example:

• Implementation and documentation of a data protection impact assessment in accordance with Art. 35 GDPR
• Conclusion of a works council agreement pursuant to Section 87 (1) No. 6 BetrVG
• Implementation of transparent data subject information in accordance with Art. 13 GDPR
• Entry in the register of processing activities pursuant to Art. 30 GDPR
• Selection of data protection-friendly settings by the respective Microsoft 365 system administrators.