Is Office 365 permissible under data protection law?

According to an assessment by the Administrative Working Group of the Conference of Independent Data Protection Authorities of the Federation and the Länder (Data Protection Conference) of 15.07.2020, a data protection-compliant use of Office 365 is not possible on the basis of the underlying Online Service Terms (OST) and the Data Protection Provisions for Microsoft Online Services (Data Processing Addendum / DPA) (both as of January 2020).

However, in a press release of 02.10.2020, the data protection supervisory authorities of Baden-Württemberg, Bavaria, Hesse and Saarland emphasised the assessment of the Administrative Working Group of 15.07.2020 as a relevant working basis, but not yet ready for a decision.

What was the conclusion of the DSK's working group on administration?

- It is not sufficiently clear from the Online Service Terms and the Data Processing Addendum which personal data of users are processed in which way and for which purpose.

- It is unclear on what legal basis Microsoft records and uses telemetry data.

- It is not clear whether Microsoft sufficiently protects users' personal data. It is also unclear for how long they will be stored.

- The transfer of users' personal data to subcontractors is not sufficiently regulated. Insofar as Microsoft commissions further subcontractors after the conclusion of the contract due to programme extensions, there is apparently no explicit consent from the users.

The decision of the DSK's Administration Working Group was made by a narrow majority of 9 to 8 votes.

Why is criticism coming from within your own ranks?

Data protection supervisory authorities of Baden-Württemberg, Bavaria, Hesse and Saarland have classified the assessment of the Administrative Working Group of 15.07.2020 as a relevant working basis, but not as ready for decision.

The following criticism was made:

- The DSK's Administration Working Group made its assessment on the basis of contractual provisions that Microsoft has revised twice since then.

- In its assessment, the DSK's Working Group on Administration did not take into account the decision of the Court of Justice of the European Union (ECJ) of 16 July 2020 (prohibition of data transfers to the USA on the basis of the EU-US Privacy Shield).

- The DSK's Administrative Working Group has not yet heard Microsoft on its assessment. However, this is part of a fair and constitutional procedure.

What happens next?

DSK Administration Working Group has unanimously set up a working group which, under the leadership of the Brandenburg State Commissioner for Data Protection and the Bavarian State Office for Data Protection Supervision, is to begin talks with Microsoft in a timely manner. The goal must be that Microsoft (still) eliminates the existing concerns quickly and comprehensively. Furthermore, it must be discussed with Microsoft how the ECJ's ruling of 16 July 2020 can be implemented.

What does the assessment of the DSK's Working Group on Administration mean to you?

First of all, it must unfortunately be stated that the assessment of the DSK's Working Group on Administration has probably increased rather than decreased the legal uncertainty in the matter of Office 365.

It remains to be seen what the outcome of Microsoft's planned hearing will be.

What can you already do to continue using Office 365?

First and foremost, when using Office 365 (as well as any other software with which you process personal data), you should take to heart the essential principles from Art. 5 GDPR:

- Are you allowed to process the personal data in question at all (lawfulness and appropriateness according to Art. 5 (1) a) and b) DSGVO)?

- Process as much data as necessary and as little as possible (data minimisation according to Art. 5 para. 1 lit. c) DSGVO.

- Develop a deletion concept (storage minimisation according to Art. 5 para. 1 lit. e) DSGVO).

Below we have some tips for you so that you can at least mitigate the data protection concerns when using Office 365

No use of older Office 365 products

Use Office 365 at least in version ProPlus 1094. The previous versions must not be used due to considerable lack of transparency, non-adjustability of the transmission of diagnostic data as well as excessive use of the collected data for Microsoft's own purposes.

Avoid using the Office 365 web app and/or Office 365 mobile apps if possible.

If possible, do not use the Office 365 web application and/or Office 365 mobile apps. According to a statement by the Dutch Ministry of Justice and Security from July 2019, the iOS version of three Office 365 mobile apps transmits personal data to US companies for marketing purposes. Furthermore, it is technically not possible to deactivate the so-called "Connected Experiences" in the Office 365 web application and in the Office 365 mobile apps. The "Connected Experiences" transmit a considerable amount of personal data to Microsoft for its own purposes.

Check your Windows settings

The level of telemetry and diagnostic data transmission of Windows 10 Enterprise must be set to "Secure". Otherwise, Windows 10 will also transmit information about the use of Office ProPlus applications with any setting higher than "Safe". Furthermore, you should not synchronise your activities with the timeline function of Windows 10, because otherwise information about the use of Office ProPlus applications will also be transmitted.

Deactivate the programme to improve the user experience

Disable the function to send data to the Microsoft application usability enhancement programme. This will prevent any unnecessary transmission of personal data to Microsoft.

Deactivate "Connected Experiences

Connected Experiences" are functionalities such as spell check, translations or Office Help. Microsoft considers itself a processor for the provision of some of these functions. However, for the 14 Connected Experiences below, Microsoft considers itself to be a controller in its own right, which means that the DPA's limitation on uses no longer applies. Microsoft's uses as a separate controller include, for example, use for personalisation, advertising or product development.

The Connected Experiences listed below should therefore be deactivated:

- 3D Maps

- Insert online 3D Models

- Map Chart

- Office Store

- Insert Online Video

- Research

- Researcher

- Smart Lookup

- Insert Online Pictures

- LinkedIn Resume Assistant

- Weather Bar in Outlook

- PowerPoint QuickStarter

- Giving Feedback to Microsoft

- Suggest a Feature

Disable Linked-In integration

Integration of Linked-In accounts of your employees must be prevented.

The LinkedIn integration is one of the "Connected Experiences" for which Microsoft sees itself as responsible. The LinkedIn Resume Assistant checks Word documents, among other things, to determine whether it is a CV that is to be published with LinkedIn. In the process, diagnostic data is apparently read out, which contains, for example, the user's email address, a unique ID and device information. These data transfers take place even if the sending of diagnostic data is set to the "None" level.

GoldbergUllrich Lawyers 2020

Julius Oberste-Dommes LL.M. (Information Law)

Lawyer and specialist in information technology law