Microsoft is finding itself in an increasingly precarious situation in the European Union (EU), where a working group of German data protection regulators has come to the conclusion that the American company has not been able to resolve any of the compliance issues it raised relating to the cloud-based Microsoft 365 productivity suite.

In September, the local Data Protection Authority (DPA) for the Hesse state in central Germany banned the use of Microsoft 365 in its schools due to worries about privacy infringement. The DPA said it collects data from users’ software, in a clear violation of the EU’s General Data Protection Regulation (GDPR) rules.

Last week, the French Ministry of National Education also urged educational institutions in the country to stop using free versions of Microsoft Office 365 and Google Workspace for schools and students. The Ministry said such offers are not compatible with the GDPR, the Schrems II judgment of the European Court of Justice, and the Dinum circular on the ‘cloud at the centre’.

The GDPR is one of the world’s toughest data privacy and security regulations.

The legislation affects software companies globally, despite the fact that it was designed primarily for the EU and its citizens. In other words, if your organisation collects any data on EU citizens, you are required to comply with the GDPR.

Last week, the Datenschutzkonferenz (DSK) – a steering body for Germany’s decentralised application of data protection law – published a report [pdf] on Microsoft 365’s compliance with specific sections of the EU-wide GDPR.

The report raises concerns regarding Microsoft’s contracts and processing for 365, and the legal justification to process data of EU citizens, especially for what Microsoft calls its “legitimate business objectives.”

Despite a number of modifications Microsoft made to its 365 contracts in a data protection addendum from September 2022, the DSK claims that users of Microsoft’s cloud-based software are unable to demonstrate compliance. Or, to put it another way, the group’s conclusion is that using Microsoft 365 in compliance with the GDPR is currently not possible.

In terms of objectives of processing, the DSK said it was unable to discern any meaningful improvements in contract language, stressing that detailed descriptions and explanations are still absent. Another issue for the authorities is Microsoft’s extensive gathering of telemetry and diagnostic data. According to DSK, Microsoft processes the data “fundamentally for self-interested purposes”. Moreover, Microsoft’s data retention and deletion rules also don’t always adhere to the GDPR’s specifications, the report says.

Microsoft provided the following statement to TechCrunch with respect to the complaints made by the DSK.

“Microsoft 365 products meet the highest industry standards for the protection of privacy and data security,” it said. “We respectfully disagree with the concerns raised by the Datenschutzkonferenz and have already implemented many suggested changes to our data protection terms. We remain committed to working with the DSK to address any remaining concerns.”

The company argues that the working group has misunderstood how its services operate and that DSK’s objections “do not accurately reflect” changes Microsoft has previously made.

However, the Microsoft does seem to recognise the need to increase transparency.

“We take to heart the DSK’s push for greater transparency, and while our documentation and transparency practices exceed those of most others in our space, we commit to doing even better.”