Data protection compliant use of Microsoft services?

Last week, the European Data Protection Committee issued initial recommendations for action on the design of safeguards and invited for consultation…

Quotation, extracts: „All stakeholders and decision-makers in international data transfer are called upon to find legally sound solutions based on appropriate safeguards that take sufficient account of European data protection concerns.

Microsoft, as one of the key providers of globally networked IT products for businesses and public authorities, has now made a number of proposals for safeguards that directly strengthen user rights. The European Court of Justice has clearly ruled that data flows from Europe to the US are no longer allowed without additional measures. Microsoft’s initiative presented today is a first step in responding to this request from the European Court of Justice and data protection authorities responsible for the enforcement of the GDPR.

Quotation: Dr. Stefan Brink stresses: „If a data processing company wants to operate in the European market in the future, it must comply with European legal standards, in particular the GDPR. This includes that companies inform affected persons when security authorities gain access to their data. It is good and necessary that a company like Microsoft complies with European data protection rules and amends its contractual clauses accordingly.  The European Court of Justice has clearly ruled that data flows from Europe to the US are no longer allowed without such additional measures“. Microsoft’s new contractual clauses contain provisions on

  • informing the data subject when Microsoft has been legally bound by a government order to release data to US security authorities
  • Microsoft’s obligation to take legal action and to appeal to the US courts to challenge the administrative order to release the data
  • the right to compensation for damage suffered by the data subject whose data were unlawfully processed and who suffered material or non-material damage as a result

The joint assessment of the data protection authorities involved is that, while this does not generally solve the problem of transfer to the US, an addition to the standard contractual clauses cannot have the effect of preventing access to the data by US intelligence services, which the European Court of Justice has criticised as disproportionate.
But the fact that Microsoft, as one of the largest international groups in the world, with significant market power in Europe, is now moving in the right direction and is incorporating its contractual clauses into its products, which are substantial improvements for the rights of European citizens, is an important step and a clear signal to other suppliers to follow suit. Before the end of the year, DSK will continue its talks with Microsoft on the Office package – the progress now achieved promises to give it „tailwind“.

Source: Pressemitteilung des Bayerischen Landesbeauftragten für den Datenschutz, Bayerisches Landesamt für Datenschutzaufsicht.
https://www.lda.bayern.de/media/pm/pm2020_9.pdf

With these measures taken by Microsoft, further attitudes and security measures on the part of EU companies, such as the use of the Enterprise Version (MS), the choice of a European server site with additional encryption, etc., some regulators currently see the possibility of using Microsoft’s services.