After a process lasting two years, the joint committee of the German federal data protection authority and 17 state regulators found that “”that, on the basis of these documents [provided by MS], it is not possible to use Microsoft Office 365 in a way that complies with data protection requirements”.
Boom
Now I wonder if and how it is possible for similar services from Google or other U.S. companies to comply with EU laws.
This is particularly significant in Italy where almost all schools are using Google Classroom (wouldn’t it be the moment to use EU services instead ?)
Past week the French ministry for education, answering a question from a Parliament member, had already stated that using Miscorosft and Google in schools was illegal under EU GDPR regulation.
This is the statement by the Ministry
The statement by the German regulators is broader, as it is not limited to schools.
This is the document by German regulators.
Here are some highlights:
At its meeting on September 22, 2020, the DSK asked a working group under the leadership of Brandenburg and the Bavarian State Office for Data Protection Supervision (BayLDA) to enter into talks with Microsoft “in order to promptly achieve data protection-compliant improvements as well as adjustments to the standards for third-country transfers for the application practice of public and non-public bodies as indicated by the ECJ’s Schrems II decision.”
In response, a working group began discussions with Microsoft in late 2020. Participants in the WG were: Brandenburg and BayLDA (both leadership), BfDI, Baden-Württemberg, Berlin, Hesse, Mecklenburg-Western Pomerania, Saxony, Saarland, and Schleswig-Holstein. For Microsoft, employees of Microsoft Deutschland GmbH including a member of the management and, depending on the focus, contact persons from Microsoft Corporation (USA) participated. In the 14 video conferences lasting several hours were held as part of the talks.The discussions had to take into account that the lead data protection supervisory authority for Microsoft Ireland Operations, Ltd. as a party to the order processing agreement is the Irish supervisory authority and that the German supervisory authorities are responsible for the supervision of the respective German customers (e.g., companies, public authorities, i.e., data controllers within the meaning of Article 4 No. 7 of the GDPR). The essential question for the German supervisory authorities was therefore whether the individual processing activities of the controllers here (for which they have commissioned the Microsoft) are lawful and whether the processing contract complies with the requirements of Art.. 28 of the GDPR.
In addition, it had to be that the cloud service Microsoft 365 can be used in different functional scopes, variants and configurations, variants and configurations.
The basis for the following assessments is the “Data Protection Addendum for Microsoft Products and Services from Microsoft” (hereinafter: “Data Protection Addendum”) including the current version of September 15, 2022. The assessment is based on the factual and legal situation existing at the end of the report on October 10, 2022. the existing factual and legal situation.
…Binding of instructions, disclosure of processed data, fulfillment of legal legal obligations, CLOUD Act, FISA 702
The current September 2022 Privacy Addendum includes changes to previous provisions governing disclosures of data provided to Microsoft as a processor for its own business purposes “to comply with legal obligations.” In doing so, the amendments contain new wording, but the bottom line is that the powers remain similarly broad.
For example, the regulation restricts the customer’s right to issue instructions with regard to disclosures of data processed on behalf of the customer. The data privacy addendum permits disclosures if required by law or described in the “data protection addendum.” Such disclosures are not limited to instructions from the data controller, so that they may be made against the background of Art. 28(3)(1) sentence 2(a) DSGVO, they are only permissible if they relate to Obligations arising from Union or Member State law to which Microsoft is subject, are limited. This is not the case. Thus, Microsoft’s obligation to give instructions does not satisfy the legal minimum requirements pursuant to Art. 28 (3) subparagraph (1) sentence 2 (a) of the GDPR.
The investigations of the working group show that Microsoft also contractually reserves the right to far-reaching disclosures. disclosures that, if implemented, would not comply with the requirements set forth in Art. 48 of the GDPR. in the event of their implementation.
