For many companies, the decision to use Microsoft 365 is characterized by various uncertainties. The uncertainty results from the desire or necessity to use Microsoft cloud products. On the other hand, there is the very derogatory opinion of individual data protection supervisory authorities, media attention from self-proclaimed data protectionists and opponents of Microsoft, as well as the ruling by the European Court of Justice in July 2020, which declared the Privacy Shield agreement invalid as an adequate guarantee for the transfer of personal data to the USA.
What is diagnostic data?
In order to understand individual points of criticism, customers of Microsoft products must first get an overview of the different types of data Microsoft processes for its customers.
These are the following categories of data:
- Customer data - these are the files, documents, emails and messages that the customer company generates and stores in the Microsoft cloud
- Diagnostic data - this is data that is collected during the use of Microsoft services about the use of the products. This data is generated when using Windows 10 as well as the various services in Microsoft 365 (formerly Microsoft Office 365)
In addition to the above-mentioned data categories, there is also the functional data in Windows 10 and the Connected Experiences Services in Microsoft 365. These are, for example, the design recommendations in PowerPoint or the translation of texts in emails or Word documents as well as the dictation of texts and conversion to text.
In addition to the error information, the diagnostic data contains a randomly generated device ID (this is used for all diagnostic data sent). This information is relevant for Microsoft to be able to determine whether an error occurs 1,000 times on a device or on 1,000 different devices and is therefore a product problem.
Understanding these three data categories is important for your own risk assessment.
Evaluation of the GDPR compliance of Microsoft 365
An opinion that is certainly widely known comes from the Netherlands - the Dutch Ministry of Justice already carried out a data protection impact assessment on Microsoft Office 365 in November 2018 as part of a license negotiation with Microsoft and came to the following conclusion:
Microsoft Office 365 (version 1904, available from March 2019) in the Microsoft 365 Apps for Enterprise variant (formerly Office 365 ProPlus) can be used in compliance with the GDPR with technical, organizational and contractual measures.
The technical and organizational measures and recommendations at the time included avoiding web versions of Office products that run in the browser, shutting down the Connected Experiences and all diagnostic data.
Microsoft has responded to the opinion from the Netherlands and in March 2019 provided a tool for displaying the transmitted diagnostic data in the Microsoft Store to give customers transparency about the diagnostic data in Windows 10 and Office products. Furthermore, setting options for the transmission of diagnostic data have been integrated into the Office products. This allows customers to choose whether to transmit required, optional or no diagnostic data at all.
Furthermore, Microsoft published new contract documents in January 2020 (https://aka.ms/OST and https://aka.ms/DPA) and for the data protection treatment of Microsoft services.
In July 2020, the Dutch Ministry of Justice published a new data protection impact assessment. This reaffirmed that the Office should not be used in web versions. It also criticized, among other things, that the list of sub-processors was not complete and that the legitimate business purposes listed in the DPA (Data Protection Addendum) were too far-reaching.
The second very media-driven exchange of blows is currently taking place between the Berlin data protection supervisory authority and Microsoft - in March 2020, the Berlin BfDI published an assessment of various providers of video conferencing services during the contact restrictions. You can find a more in-depth look at this process in Stefan Köster eConsulting's blog: https://www.koester-econsulting.com/microsoft-vs-berlin/
The third uncertainty for companies in the EU arises from the ECJ ruling of July 16, 2020 on the invalidity of the Privacy Shield agreement as an adequate guarantee for the transfer of personal data to the USA (and third countries).
To this end, the German Data Protection Conference recommends that data be transferred on the basis of the EU standard contractual clauses in conjunction with additional protective measures that prevent intelligence services in the USA from accessing the transferred data. Data encryption is cited as one example.
The German supervisory authorities have also published very different opinions on how to deal with this ruling and its effects. In contrast to the data protection supervisory authority in Berlin, which wants to stop all transfers to the USA immediately, the supervisory authority in Baden-Württemberg sees various options here, which were communicated very well in a guidance document (https://www.baden-wuerttemberg.datenschutz.de/verunsicherung-nach-schrems-ii-urteil-lfdi-baden-wuerttemberg-bietet-hilfestellung-an/).
Microsoft reacts
Microsoft has not been idle in recent months and has responded to the various developments in the European market and the individual points of criticism from the supervisory authorities. Various adjustments have been made to the DPA and the OST and the CoreServices contained therein, which fall under these contract documents. The list of sub-processors was updated and a new function for encrypting customer data (double key encryption) was added to the public preview.
Microsoft is also working with individual ministries and data protection supervisory authorities (use of Microsoft Teams in Baden-Württemberg), with the Federal Data Protection Commissioner and the DSK (use of Office 365) at federal level and with the European Data Protection Committee at European level. Results can be expected here in the foreseeable future.
Recommendation for the use of Microsoft 365
Finally, the following recommendation for action could reduce the uncertainties and, supplemented by a risk assessment, lead to a positive valuation result for most companies.
- An important basic requirement is the use of a paid business plan, i.e. licensing, so that the relevant contractual documents apply.
- Check the OST and the core services it contains - only use these services.
- Reduce the connected expierences and diagnostic data to a level appropriate to the protection requirements of your data
- Avoid using the Office Web versions or adjust the transmitted diagnostic data (additional licenses may be required)
- Use your own key to encrypt your customer data (BYOK, Bring your own Key, additional licenses required)
- If necessary, check the use of HYOK (Hold your own Key) or DKE (Double Key Encryption) for particularly sensitive documents
If necessary, carry out a supplementary analysis of the (residual) risks. Consider the customer data and diagnostic data separately!
The following table visualizes my approach:
A guest article by Stefan Köster eConsulting | Op de Elg 13a | 22393 Hamburg | Web: www.koester-eConsulting.com
