First of all and very important: I, the author, am not a lawyer and have no legal qualification. This article summarizes the facts on the topic of "Can Microsoft Online Services be used in a privacy-compliant manner following the GDPR?
What is it actually about?
Ulrich Kelber, Chairman of the DSK (German Data Protection Conference), said at a press conference on November 24, 2022, that the use of Microsoft 365 remains contrary to data protection.
Reason, among others: It was still unclear which data was collected, transferred and processed for Microsoft's own purposes.
In summary, the lack of transparency is the cause of concern for the DSK.
The DSK doubts that Microsoft 365 can be used in a data protection-compliant manner "...just like that on a computer without further protective measures". The protection that is meant here refers to the so-called perimeter security. The DSK admits that data protection-compliant use is perhaps possible if techniques such as proxy servers or micro-virtualization are used. On a central proxy server, over which all data traffic is routed, the data flow can then be monitored and controlled in detail.
This approach is not new, but is increasingly being replaced by zero trust architectures because it is simply no longer up to date. In addition, cloud providers generally require that data traffic/access to SaaS, IaaS and PaaS services is direct, i.e., that there is no proxy server or techniques such as packet inspection in between.
- „…Microsoft 365 networking is to optimize the end user experience by enabling the least restrictive access between clients and the closest Microsoft 365 endpoints…“
- „…To connect to your WorkSpaces, the network that your WorkSpaces clients are connected to must have certain ports open to the IP address ranges for the various AWS services…“
Options of the customer
The customer itself is not in a able to setup the transparency required by the DSK or to technically influence which data is processed by the contract data processors (Microsoft, AWS, Google, Salesforce, etc.).
In the Microsoft cloud services, the customer can only partially influence the "transparency" by using the Double Key Encryption
However, this does not apply to all types of personal data. For example, it cannot be used to encrypt user data in Azure AD. The "Bring your Own Key" technology, which then also affects tenant encryption as a whole, requires that the own key is uploaded to a Key Vault in Azure. This key is then also stored in the Microsoft Cloud and Microsoft therefore has access to it, at least technically. For details see: Service encryption with Microsoft Purview Customer Key
So what to do?
The DSK (German Data Protection Conference) is a committee of the independent data protection authorities of the German government and the German Federal States. Its focus is on compliance with data protection in the non-public sector. The opinions and guidance published by the DSK are based on the data protection laws of Germany and the German Federal States.
Its focus is on compliance with data protection in the non-public sector. The opinions and guidance provided by the conference are not legally binding. However, they have a de facto impact on the future of data privacy in Germany due to the expertise and authority of the conference members.
DSK says about the use of M365...
...data controllers must be in a position at all times to meet their accountability obligations under Article 5 (2) GDPR. When using Microsoft 365, difficulties can still be expected in this regard on the basis of the "data protection supplement", as Microsoft does not fully disclose which processing operations take place in detail. In addition, Microsoft does not fully disclose which processing operations take place on behalf of the customer or which take place for its own purposes. The contract documents are not precise in this respect and, as a result, do not permit conclusively assessable, possibly even extensive processing also for the customer's own purposes...
Microsoft says this...
… We respectfully disagree with the DSK position as we ensure that our M365 products not only meet, but often exceed, the strong data privacy laws in the European Union. Our customers in Germany and across the EU can confidently use the M365 products in a legally compliant way…
From the customer's perspective, this is a tricky situation. On the one hand, an institution whose statements are not binding, but are weighty, said NO to M365 for German customers. On the other hand, Microsoft says, "Our customers in Germany and throughout the EU can continue to use M365 products without hesitation and in a legally secure manner.
All in all, the following wording sums it up perfectly for now:
The statement of the DSK is nothing more and nothing less than the legal opinion of a committee of the executive authority. This is not binding. The judiciary, i.e. the German and European courts, has the final word
Or to put it in the words from the Microsoft article:
We look forward to the new framework becoming the basis for a positive European Commission adequacy decision under the GDPR in 2023.