Microsoft 365 is facing criticism over its data protection practices after a report was published outlining a cavalcade of regulatory failures.
The report, written by a working group of German data protection regulators, outlines a series of GDPR (General Data Protection Regulation) concerns related to Microsoft’s Cloud-based products.
According to the report, Microsoft’s compliance woes include its speculative interpretation of processing personal data under the grounds of ‘legitimate interest’, inadequate technical and organisational measures to protect personal data and flaws in the way it transfers personal data out of the EU.
Having previously been urged to improve its practices, Microsoft and the organisations that use its services are now under intense pressure to review their GDPR compliance measures, with potential regulatory action looming.
Microsoft initially came under the microscope in 2019, after the EDPS (European Data Protection Supervisor) raised concerns about its data protection practices. The tech giant announced that it would make changes, but the latest report indicates that it didn’t go far enough.
The German protection regulators – led by the DSK (Datenschutzkonferenz) – released a statement accompanying their report, saying that Microsoft had only made “minor improvements” to its practices.
The group concluded that Microsoft’s contractual terms mean that it’s impossible for organisations that use its Cloud-based services to demonstrate GDPR compliance.
Among the issues that the group raised are the lack of clarity and precision in Microsoft 365’s third-party contracts. Specifically, there are questions surrounding Microsoft’s interpretation of Article 6 of the GDPR, which states that organisations must document a lawful basis for processing personal data.
The GDPR gives organisations six options to choose from, with Microsoft using ‘legitimate interests’.
This basis applies whenever an organisation has a reasonable use for personal data, provided that it isn’t overridden by the interests or fundamental rights and freedoms of the data subject.
However, the German regulators have taken exception to Microsoft’s approach, stating that the data collected under these terms isn’t used for “legitimate business purposes”.
Another concern that the group raised relates to Microsoft eschewing its responsibilities as a data controller, rather than simply a data processor.
A data controller determines the purposes for which an organisation collects and uses personal information, whereas a data processor performs the data collection itself.
Data controllers have greater responsibilities, including overseeing the requirements related to the GDPR’s accountability principle.
Microsoft has argued that its customers are data controllers, as they manage the use of personal data, while the software is used purely for collecting that information.
The regulators state that, although that will be the case in some instances, it “could not be conclusively clarified”.
Technical and organisational failures
The report questions the measures that Microsoft has adopted related to the safety of exported data. Article 32 of the GDPR sets out the technical and organisational measures that organisations should implement to protect the personal data that they store.
The Regulation doesn’t go into specific detail about what these processes should look like, because best practices – particularly when it comes to technology – change rapidly, and what is considered appropriate now might not be in a few years.
Yet, the German regulators point to legal uncertainties over the measures that Microsoft claims to have implemented, which reportedly only cover a subset of the personal data that’s subject to its contractual terms.
Although Microsoft says it amended its contracts to address the concerns previously raised, the report states that these are superficial tweaks to the language that do not bring any “substantial improvements”.
Another contentious issue is Microsoft’s large-scale processing of telemetry and diagnostic data. The report says that the information is being used “fundamentally for self-interested purposes”, which public sector users will struggle to justify.
The report also takes issue with the way Microsoft transfers personal data out of the EU. It states that it’s impossible to use the organisation’s services without information being moved to the US – and with the collapse of the EU–US Privacy Shield Framework in 2020, there is no legal structure that permits such transfers.
There are also concerns about legal issues related to US laws such as the Cloud Act and FISA 702, which force Microsoft to make personal data available to the government. This requirement contradicts EU privacy laws and is one of the reasons that data transfer frameworks such as the EU–US Privacy Shield have repeatedly failed.
Microsoft stands firm
Responding to the report, Microsoft said that the DSK’s concerns “do not appropriately reflect changes we have already undertaken and are based on several misunderstandings regarding how our services operate and measures we already have in place”.
Microsoft provides examples of “an improved notification process for subprocessor changes”. It adds that it has “fully cooperated with the DSK, and while we disagree with the DSK’s report, we are committed to addressing remaining concerns.
“We take to heart the DSK’s push for greater transparency, and while our documentation and transparency practices exceed those of most others in our space, we commit to doing even better.”
In a separate statement, available only in German (although machine translated here), Microsoft accuses the regulators of interpreting the GDPR in an “excessively risk-averse manner”, which it believes “overburdens and paralyses” organisations.
These are common criticisms levied against the Regulation by organisations that have been found to have violated its requirements. Protestations have rarely helped those facing enforcement action and fines, but fortunately for Microsoft it is not yet facing disciplinary action.
It is currently up to the EU regulators to determine whether to pursue the matter. If they do, Microsoft will almost certainly appeal the penalty, so we are unlikely to see definitive conclusion to this matter any time soon.