A working group of German data protection regulators has determined that Microsoft 365 cannot comply with the GDPR without additional technical measures.

The Microsoft 365 package cannot be used by companies, authorities and schools in a legally compliant manner, at least not without additional technical measures. This is the conclusion of a data protection assessment adopted by Germany’s independent federal and state data protection supervisory authorities at their recent data protection conference.

Users have to take additional protective measures, warns Ulrich Kelber, the Commissioner for Data Protection and Freedom of Information at BfDI, Germany’s data protection authority (DPA).

The conclusion could adversely impact Microsoft 365 customers in Germany, pressuring them to take “additional protective measures” such as renegotiating their contracts with Microsoft. The same would apply elsewhere in the European Union, where the same data protection framework applies. In countries such as France and The Netherlands, regulators are also investigating cloud services’ GDPR compliance.

The German assessment comes as the European Data Protection Supervisor (EDPS) is participating in a coordinated action of the EDPB (European Data Protection Board). The Supervisor is focussing on the GDPR compliance of cloud-based services among EU agencies, institutions and other bodies.

Transatlantic data transfers are problematic

Microsoft published a new version of its data processing agreement in September. With the new version of the ‘Microsoft Products and Services Data Protection Addendum’, the company has adopted the latest standard contractual clauses of the European Commission, among other things. This was necessary because the European Court of Justice (ECJ) declared the EU-US transatlantic Privacy Shield invalid with the Schrems II judgment.

Recent changes in US law could allow a new Privacy Shield agreement to be put into place between the US and the EU. However, it remains to be seen whether the EU would be willing to rely on a plan that depends on President Biden’s Executive Order — one which could be immediately revoked by a subsequent administration.