Microsoft 365 and Data Protection: US Data Transfer is Inadmissible, Consent is Invalid

There have been many discussions recently around Microsoft 365 and its use in companies and administration. Despite its widespread use, the German supervisory authorities have long held the view that the US-based company does not sufficiently meet the requirements of data protection. The Data Protection Conference of the German supervisory authorities (DSK) also came to this conclusion in a report published in November 2022, which dealt with the Microsoft Products and Services Data Protection Addendum issued on 15 September 2022.

According to this report, Microsoft continues to provide insufficient information about how the company processes personal data, which further means, for instance, that any data processing by Microsoft on the basis of consent is inadmissible. In addition, it maintains that it is in no circumstance permissible to process personal data that are subject to the GDPR on Microsoft’s US-based servers.

Unlike in previous statements, the DSK directly addressed controllers – for the most part companies that use MS 365 to process personal data. Companies should therefore act immediately to avoid fines.

A. Background

The authorities’ assessment of Microsoft has been made against the backdrop of the strict requirements placed on the transfer of personal data to non-EU countries, as well as the judgments made by the European Court of Justice (ECJ) that have held the Safe Harbor agreement with the USA and then the EU-US Privacy Shield to be invalid. This means that there is no longer any adequacy decision on US transfers according to Art. 45 GDPR which would allow the use of US providers without implementing further measures. The EU and the USA are currently looking to adopt a “Privacy Shield II”. However, there is already significant skepticism about whether the American executive order issued for this purpose is able to produce a level of data protection that matches that of the EU (as we reported here). The use of US providers therefore remains complicated.

After the Higher Regional Court of Karlsruhe determined in a lawsuit over an award of tender that the use of a European subsidiary of a US provider (in this case AWS) was not a data protection breach per se (Decision of September 7, 2022, 15 Verg 8/22; as reported by Heuking), it had been increasingly hoped that it was possible to lawfully use the services of EU subsidiaries of US companies, such as Microsoft Ireland Operations Ltd. This hope has now been dampened by the statement made by the DSK.

The supervisory authorities had already come to the conclusion in 2020 that, based on the contractual document in operation at the time, it was not possible to use Microsoft in a way that complied with data protection laws (Heuking’s report on the criticism of Berlin’s commissioner for data protection and freedom of information in July 2020). Following this, a working group was supposed to work with Microsoft to introduce the changes the US company needed to make in order for its products to be used lawfully in Europe. Although these discussions have since been concluded, the DSK was still very critical of Microsoft’s latest contractual changes.

B. Criticism from the DSK

The DSK assessed the Data Protection Addendum published by Microsoft which is meant to replace Microsoft’s current Data Protection Addendum (DPA), in particular, in order to meet the requirements of the new EU standard data protection clauses on data transfer to third countries (as reported by Heuking) which will be mandatory from December 27, 2022, even for existing contracts.

Although this Data Protection Addendum is meant to be the result of the discussions with Microsoft, the DSK only recognizes “minor improvements”, so data protection-compliant use of MS 365 remains complicated. In particular, Microsoft has not made any adjustments to the actual processing and continues to reserve the right to process data for unspecified “business activities”. 

Generally speaking, companies implement MS 365 on the basis of a data processing contract (Art. 28 GDPR). In return for this privileged status, the client must have sole rights of instruction, which here, however, cannot be exercised to their full extent as Microsoft reserves the right to process data for its own purposes. The right of instruction therefore remains restricted, even if the disclosure of data by Microsoft is prohibited by law or described in the Data Protection Addendum. As Microsoft does not restrict disclosure to cases that are required on the basis of the law of the Union or of its Member States, this represents an infringement of Art. 28(3) sentence 2 (a) GDPR.

However, the report of the DSK “Microsoft online services” working group is not only addressed to the US company itself, but also to those controllers under data protection law within the meaning of Art. 4(7) GDPR which use Microsoft services to process personal data.

According to Art. 5(2) GDPR, the latter are required to prove that they respect the data protection principles provided for in Art. 5 GDPR (“accountability”). According to the DSK, it is not possible to provide such evidence on the basis of Microsoft’s new Data Protection Addendum, as companies are not in a position to prove the transparency and lawfulness (Art. 5(1)(a) GDPR) of the processing. This is mainly due to the fact that Microsoft has not provided any information about which personal data the US company would use for which purposes of its own. Consequently, it would not be possible to inform data subjects as required by Art. 12 et seqq. GDPR – after all, the controller, which is therefore subject to the obligation to inform, would not know itself what was happening with the data of its employees, customers, suppliers etc.

This insufficient information further means that the data subjects cannot consent to the disclosure of their data to Microsoft. If their consent is nonetheless obtained, it becomes invalid, as it lacks any legal basis and any processing of data on the basis of such consent constitutes a data protection breach.

Furthermore, it is inadmissible for Microsoft to process in the USA any personal data that are subject to the GDPR. Although a new mechanism for lawfully transferring data to third parties within the meaning of Art. 46(2)(c) GDPR was made available when the standard data protection clauses came into force in June 2021 (as we reported here), these contractual clauses do not release controllers from themselves verifying the level of protection in the third country in question. It remains a continual debate whether this is even possible for the USA in particular. The DSK has now made its position clear: There are no plausibly sufficient protection measures for lawfully exporting data to the USA due to Microsoft’s business model, so data transfers are not admissible in any circumstance. Although “in principle” storing personal data in the EU only should be possible from December (at the earliest), there remains the fact that Microsoft could still transfer such data to the USA.

Further criticisms include insufficient obligations to return or erase data, as well as legal uncertainties due to the fact that the further technical and organizational measures (TOM) implemented by Microsoft in accordance with Art. 32 GDPR do not cover all affected personal data.

On the other hand, the DSK did not carry out an assessment of the US executive order, which it justified by claiming that is not yet possible to say anything about its actual implementation.

C. Why is this important for companies?

Where Microsoft services are used, they are almost always involved in processing personal data. This could be employee data in payroll accounting documents or customer data in electronic mailboxes that are processed using Outlook. All of these areas fall under the scope of the GDPR. 

Infringements of obligations under the GDPR can lead to fines of up to EUR 20 million or 4 % of worldwide annual turnover. While the use of MS 365 has generally been tolerated by the authorities until now and, where doubts have been expressed, it has been the US provider itself which was criticized, the new statement document now addresses companies directly and concludes that the latter will not be able to fulfil their legal duties when using MS 365 on the basis of the new Data Protection Addendum. The decision that the use of MS 365 can no longer be supported on the basis of the consent of the data subjects and that processing with MS 365 on US servers is essentially inadmissible gives the authorities a new handle. There are therefore strong indications that companies will themselves become more of a focus for the authorities in relation to the data protection-compliant use of MS 365. To avoid potentially high fines, companies using MS 365 should take the initiative now and not wait until it is too late and a warning is issued.

D. What should be done?

Unlike for public bodies, the use of Microsoft is at least not completely excluded for companies from the outset. Although consent to data transfers cannot be effectively obtained from the data subject, it is still possible to justify such on the basis of the controller’s legitimate interests (Art. 6(1) sentence 1 (f) GDPR). Although the DSK has not explicitly taken a view on this, it does not seem to consider this a completely inadmissible option. As the DSK has clearly positioned itself against the use of MS 365 on US servers, any such use must cease. However, there are still risks associated with the use of EU servers, namely that Microsoft does not exclude transferring data to the USA in individual cases. Nevertheless, the DSK seems committed to finding a solution with Microsoft, and Privacy Shield II is also still being planned. In the meantime, companies should take the following actions:

• Ideally, negotiate individual contracts stating that Microsoft will not process any data for its own purposes. However, only very large companies are likely to have such a strong negotiating position.
• Check legal bases: Using Microsoft to process personal data may no longer be supported by consent based on Art. 6(1) sentence 1(a) GDPR.
• Consider the balance of interests: Is there a compelling and justifiable interest in implementing MS 365 and therefore transferring personal data to Microsoft? This must generally be rejected if equivalent programs exist with which there is no similar possibility of data access and for which any processing by the provider itself is excluded.
• Use the “EU Data Boundary”: at least personal data will then be processed in the EU area “in principle”. Using MS 365 without the data boundary is also currently not possible, even with comprehensive additional protection measures!
• DSK further requires Microsoft to provide each customer with a list of processing activities, which can be included as an appendix or directly in the contract. Even here, companies can at least attempt to negotiate.
• Check contracts with other US providers: If these reserve the right to use data for their own unspecified purposes, it can be assumed that here again, it would be impossible to lawfully inform data subjects or obtain their consent.