The use of Microsoft Office 365 by governments, businesses and educational institutions violates the General Data Protection Regulation (AVG). The U.S. hardware and software company is not transparent enough about what data it collects and processes. Regulators are urging it to make improvements as soon as possible.
That is what German regional regulators told the Datenschutzkonferenz (DSK), which took place last week (1).
The regulators wanted an answer as to whether Microsoft Office 365's processing of user data complied with European privacy laws and was therefore lawful. To do so, the regulators examined various documents from the U.S. technology company, including its privacy policy and data processing agreement.
"Based on these documents, it was not possible to use Microsoft Office 365 in a way that complied with data protection requirements," the regional regulators concluded. From the documents studied, it is unclear what data Microsoft collects and processes for what purposes. Because Microsoft does not disclose these topics, the regulators have no choice but to conclude that Microsoft is in violation of the AVG.
Although the tech company has introduced a new data processing agreement, even that does not reveal what data Microsoft collects for what purposes. A working group led by the Bayerischen Landesamts für Datenschutzaufsicht (BayLDA), in a conversation with Microsoft, has recommended that it "quickly make improvements in line with [European] data protection."
Microsoft disagrees with the position of German regional regulators. In a German-language blog, the U.S. hardware and software company writes that it is exceeding European rules on data protection (2).
"The DSK's concerns do not adequately take into account the changes we have already made and are based on several misunderstandings about how our services work and the measures we have already taken. We also believe that the DSK report does not take into account important legislative changes that provide better privacy protection for EU-U.S. data traffic," Microsoft said.
The tech company says it takes the regional regulators' call for more transparency extremely seriously. Microsoft promises to provide more information about the data flows of its Office 365 customers. "We will also create more transparency about the locations and processing by subcontractors and Microsoft employees outside the EU," the company promises.
https://datenschutzkonferenz-online.de/media/dskb/2022_24_11_festlegung_MS365_zusammenfassung.pdf
https://news.microsoft.com/de-de/microsoft-erfuellt-und-uebertrifft-europaeische-datenschutzgesetze/
