Two weeks ago, the German Conference of the Independent Data Protection Authorities of Germany (Datenschutzkonferenz or “DSK”) released a report looking into Microsoft 365’s (Microsoft) compliance under the European Union’s General Data Protection Regulation (GDPR). DSK’s overarching conclusion of the report was that use of Microsoft 365 applications by businesses processing personal data runs afoul of GDPR requirements.

The DSK report alleged Microsoft’s policies and disclosures lack clarity with respect to how personal data is processed and which entity is processing that data. DSK was unable to conclusively determine the cases where Microsoft acts as a data controller rather than a data processor. The distinction between a data controller and a data processor is important because Article 5(2) of the GDPR imposes additional accountability requirements and responsibilities for data controllers. The DSK also expressed concerns regarding Microsoft’s lack of overall clarity and notification to users about subcontractors and sub-processors. The group determined that Microsoft’s lack of detail regarding subcontractors and sub-processors falls below the European Commission’s template on Standard Contractual Clauses.

The DSK report also delves into doubts surrounding Microsoft’s GDPR compliance when it comes to use of Microsoft tools by public sector organizations, specifically schools. This concern stems from the DSK’s apprehension regarding what Microsoft considers as a “legitimate business purpose” or “legitimate interest” to process data. Additionally, the DSK has concerns regarding the adequacy of Microsoft’s measures on EU data exports to third countries, including the United States, and found the current measures lacking under the GDPR, despite Microsoft’s added technical and organizational measures for exported data.

The DSK report outlined many concerns despite the recent changes Microsoft undertook in its September of 2022 Data Protection Addendum and found that as it stands, it is not possible for Microsoft’s cloud based software to show compliance with the GDPR. The DSK report acknowledged the Data Protection Addendum, but found there were no significant changes and the changes Microsoft did undertake were merely minor and superficial changes that do not rebut any concerns regarding Microsoft’s practices under the GDPR.

Microsoft responded to the DSK report by releasing a statement to mitigate concerns about its compliance under German and EU data privacy laws. Microsoft explained that it has already implemented several changes to the way its services operate, including improved notification processes for sub-processors and clarity on its use of personal data for business operations. In the statement, Microsoft as part of its EU Data Boundary also committed to greater transparency on documentation of customer data flows, purposes of processing, and information on sub-processors.

The concerns in the DSK report have yet to result in any legal action or regulatory investigation under the GDPR, but it demonstrates that EU data protection groups are looking for any offenders. This recent report by the DSK serves as an important reminder for businesses that GDPR compliance is stringent, and no application is too relied upon to avoid scrutiny. Merely tweaking language without proper processes and procedures in place may lead to enforcement trouble under the GDPR.

For more information on data privacy and security regulations and other data privacy questions, please visit Taft’s Privacy & Data Security Insights blog and the Taft Privacy and Data Security mobile application.