Microsoft is finding itself in an increasingly precarious situation in the European Union (EU), where a working group of German data protection regulators has come to the conclusion that the American company has not been able to resolve any of the compliance issues it raised relating to the cloud-based Microsoft 365 productivity suite.
In September, the local Data Protection Authority (DPA) for the Hesse state in central Germany banned the use of Microsoft 365 in its schools due to worries about privacy infringement. The DPA said it collects data from users’ software, in a clear violation of the EU’s General Data Protection Regulation (GDPR) rules.
Last week, the French Ministry of National Education also urged educational institutions in the country to stop using free versions of Microsoft Office 365 and Google Workspace for schools and students. The Ministry said such offers are not compatible with the GDPR, the Schrems II judgment of the European Court of Justice, and the Dinum circular on the ‘cloud at the centre’.
The GDPR is one of the world’s toughest data privacy and security regulations.
The legislation affects software companies globally, despite the fact that it was designed primarily for the EU and its citizens. In other words, if your organisation collects any data on EU citizens, you are required to comply with the GDPR.
Last week, the Datenschutzkonferenz (DSK) – a steering body for Germany’s decentralised application of data protection law – published a report [pdf] on Microsoft 365’s compliance with specific sections of the EU-wide GDPR.
The report raises concerns regarding Microsoft’s contracts and processing for 365, and the legal justification to process data of EU citizens, especially for what Microsoft calls its “legitimate business objectives.”
Despite a number of modifications Microsoft made to its 365 contracts in a data protection addendum from September 2022, the DSK claims that users of Microsoft’s cloud-based software are unable to demonstrate compliance. Or, to put it another way, the group’s conclusion is that using Microsoft 365 in compliance with the GDPR is currently not possible.
In terms of objectives of processing, the DSK said it was unable to discern any meaningful improvements in contract language, stressing that detailed descriptions and explanations are still absent. Another issue for the authorities is Microsoft’s extensive gathering of telemetry and diagnostic data. According to DSK, Microsoft processes the data “fundamentally for self-interested purposes”. Moreover, Microsoft’s data retention and deletion rules also don’t always adhere to the GDPR’s specifications, the report says.
Microsoft provided the following statement to TechCrunch with respect to the complaints made by the DSK.
“Microsoft 365 products meet the highest industry standards for the protection of privacy and data security,” it said. “We respectfully disagree with the concerns raised by the Datenschutzkonferenz and have already implemented many suggested changes to our data protection terms. We remain committed to working with the DSK to address any remaining concerns.”
The company argues that the working group has misunderstood how its services operate and that DSK’s objections “do not accurately reflect” changes Microsoft has previously made.
However, the Microsoft does seem to recognise the need to increase transparency.
“We take to heart the DSK’s push for greater transparency, and while our documentation and transparency practices exceed those of most others in our space, we commit to doing even better.”
"*" indicates required fields
Software Asset Management is a business practice that involves managing and optimising the life cycle of software within an organisation.
Software asset management is relevant to many facets of a business - take a look at some of the roles that it can form part of the focus of.
Software vendors come in all shape and sizes - all with their own set of licensing models and rules. We take a look at just a few of them.
As a constantly evolving subject, SAM is not without its challenges. We take a look at some of the most common ones.
Wondering what an investment in SAM could do for your business? Fill out a few details and find out what return you could get!
Answer a few questions about your SAM infrastructure & experience, and we'll put together a personalised recommendation for the future.
A simple health check of what's being used across your Office 365 estate in this FREE, Microsoft backed and easy to setup review.
Just like you would with your vehicle each year, get an annual check up of your software asset management programme.
Overwhelmed by the task of documenting the steps for a successful SAM programme? Get the experts in to help!
Concerned your SAM tools aren't covering your whole estate? Or on the look out for an entirely new tool? Get us in to assist.
Not content with covering all things SAM related, we've teamed up with Capital to provide a comprehensive hardware asset management review.
A simple, one-time reconciliation of the software you have deployed versus the licence entitlement you own.
A regularly scheduled analysis of your organisation's estate, specifically adapted to your needs and budget.
A full appraisal of your Microsoft 365 setup and how best to optimise it through automated recommendations.
An add-on to our SAMplicity One, MOT and Plus offerings, quickly diagnose your ability to migrate your resources to the cloud.
In collaboration with law firm Addleshaw Goddard, ensure the legality of your SAM programme and get assistance with any contract disputes.
Available as standard with SAMplicity Plus, ensure you're compliant if you're unexpectedly audited by a vendor.
We've teamed up with some of the forefront experts in licensing knowledge so you can teach yourself to be an expert too.
Stumped by the continually evolving complexities of SAM? Join us for one of our comprehensive courses, either in-person or online.
It’s chock full of useful advice, exclusive events and interesting articles. Don’t miss out!