Update Data Protection No. 80
Berlin data protection authority criticizes commissioned data processing aspects of Microsoft Office 365
On July 3, 2020, Berlin’s commissioner for data protection and freedom of information published Advice on providers of videoconferencing services. This advice looked closely at the contractual terms and conditions of the providers Cisco, Google, Zoom, and Microsoft.
Facts of the case
Although there was some consideration of technical details, the main issue was the question of whether the providers are using legally compliant contracts for commissioned data processing pursuant to Art. 28 GDPR. The synopsis that starts on page 10 of the advice concluded that the terms and conditions for commissioned data processing that Microsoft currently uses for the Microsoft Teams video function are not legally compliant.
This assessment is interesting because Microsoft currently uses the terms and conditions for commissioned data processing for the entire Microsoft Office 365 package and not just the Microsoft Teams application. Thus, from the perspective of Berlin’s data protection authority, it is not possible to use Microsoft Office 365 in a legally compliant manner. The reasons for this view include inconsistencies in the structure of the documents, Microsoft’s own rights to use the data (joint data controllers?), and non-compliance with minimum GDPR requirements.
Relevance
If companies are still using an installation version of Microsoft Office (on-premise), the above advice will only matter if data access was granted to Microsoft as part of any service agreements, which does not happen as far as we are aware. However, if Microsoft Office 365 is used in the company, the Berlin data protection authority’s latest advice should be heeded because the authority believes that a GDPR breach has been committed that could attract a fine (infringement of Art. 28 GDPR).
Recommended actions
The Berlin supervisory authority’s advice was issued on the subject of videoconferencing systems, so primarily relates to applications such as Microsoft Teams. There are 15 other supervisory authorities in Germany that may have a different legal opinion (as for instance Hesse did recently, whereby the commissioned data processing terms were worded very similarly at the time). We anticipate that Microsoft will contact the Berlin supervisory authority to agree on a potential amendment to the disputed parts of the contractual documents. Although it is possible that supervisory authorities may implement measures in respect of the use of Microsoft Teams or Office 365 overall as a direct consequence of the Berlin supervisory authority’s advice, we do not anticipate this as an initial course of action. However, we do expect that the various state supervisory authorities will enter into discussions with one another about Microsoft and commissioned data processing in the near term. That being so, this subject will be monitored over coming weeks – in particular the pending ECJ judgment (“Schrems II”) on data transfer to third countries on the basis of the EU standard contractual clauses (scheduled for July 16, 2020). In the meantime, companies that continue to use Office 365 and especially Microsoft Teams should again review whether the necessary internal measures have been taken to ensure that Office 365 is deployed in a legally compliant manner, so for instance by using the Microsoft Compliance Manager (if available in the subscribed package), reducing the corporation’s address book to the national company, deactivating activity and usage reports (to the extent that this enables performance/conduct monitoring), or including the individual Office functionalities (including Teams) in the company’s internal data processing register.