As announced at the beginning of this week, a working group of the federal and state data protection conference is warning against the use of the products offered within the framework of Microsoft 365. According to "Der Spiegel", the expert group complained that when used in public authorities and state institutions such as schools, for example, it is not possible to use the products in compliance with data protection laws. In concrete terms, this means that these organizations should not use common office programs such as Excel or Word to ensure compliance with data protection laws. This was apparently the conclusion reached by the conference after an investigation that lasted several months, during which contracts and documents were intensively examined. The working group itself has not yet published these findings, as there is still disagreement among the data protection officers of the German states.
The fact that data protectors criticize Microsoft is not particularly surprising, as the US company has been reprimanded in this regard on several occasions - as have other American tech companies. The fact that those responsible in this country take a particularly critical look at the official use of common programs with regard to data protection is first of all very gratifying. Because this shows that the topic - in addition to IT security - is given appropriate importance. After all, digitization, whether in the company, in the public authority environment or at school, only works if security is the top priority. This security must be guaranteed by organizational and technical measures and constantly questioned and checked. However, in this case the statement of the working group of the data protection conference is too far over the target, because a data protection compliant use of Microsoft 365 is quite possible if certain criteria are met.
What can lead to data protection problems when using common office applications is above all the aspect of storage. If information is stored in cloud environments of American providers, the data is subject to the so-called CLOUD (Clarifying Lawful Overseas Use of Data) Act. In principle, this means that US government authorities can gain access to it, even if it is located outside the United States. The mere fact that an American company stores the data is sufficient for this authorization. Thus, the CLOUD Act obliges US companies to disclose the information even if local laws at the location of the data storage prohibit this. This regulation is clearly in conflict with EU law and the GDPR. Without mutual legal assistance agreements, personal data may not be handed over to US authorities simply because of the GDPR. This therefore affects all information stored via Microsoft tools as well as teams and OneDrive.
The good thing is that it is still possible to use common Microsoft applications in compliance with data protection regulations - provided that the information is stored with a non-American, preferably European, cloud service - instead of in OneDrive. Ideally, in addition to all Office products, files from the respective cloud service, such as Enterprise File Sharing, can also be communicated, loaded and used directly via link within the rapidly growing MS team. If the European or German provider has a corresponding integration, all files sent via MS Teams can also be uploaded directly to the cloud securely and in compliance with the GDPR without being stored in teams. This means that companies can continue to use the standard office applications, except that the storage of data is regulated differently and is therefore not subject to the CLOUD Act. At the same time, compliance with the GDPR is possible. Ideally, the Enterprise File Service has client-side encryption, so that information cannot be intercepted and viewed by third parties, even independently of non-European laws. Through this technology, the data sovereignty lies with the user himself.
Overall, the care with which data protection authorities act in this country is to be welcomed. However, the statement by the working group of the Data Protection Conference of the Federal and State Data Protection Authorities that the use of Microsoft 365 services is not possible for authorities from a data protection perspective is not entirely correct. The CLOUD Act can be circumvented through intelligent cooperation between American manufacturers and European providers of cloud services - and with it the disadvantages it entails in terms of GDPR-compliance. In principle, it is gratifying that more and more US providers such as Microsoft are meeting the need of European companies for maximum data protection and security.