The German supervisory authorities (equivalent to our Comisión Informatique et Libertés or CNIL) have started discussions with Microsoft for improvements in the compliance of Microsoft 365 services with GDPR requirements. At issue were Microsoft’s contractual framework and data transfers to the United States.
The Schrems II decision: a brake on data transfers outside the EU
As a reminder, the GDPR imposes a prohibition in principle on the transfer of data outside the EU, which however can be annulled by resorting to “appropriate guarantees”, constituted by legal instruments, in particular contractual ones, such as the standard contractual clauses of the European Commission . .
The possibilities of data transfer to the United States have been further restricted by a “Schrems II” judgment, handed down in 2020 by the Court of Justice of the European Union, which notably invalidated the Privacy Shield. This decision was motivated by a collection of personal data, by the US authorities, considered particularly extensive and intrusive.
It has had the practical consequence of making most transfers of personal data to this country non-GDPR compliant, particularly transfers of unencrypted and non-pseudonymized data, to cloud providers, even when these transfers are accompanied by “adequate guarantees”.
According to this decision, apart from the particular case of the United States, it is also necessary to carry out a study of the laws and practices of the countries of destination of the data outside the EU, in order to determine if these do not constitute an obstacle to the “adequate collateral” used to ensure compliance with the transfer.
The European data protection authorities have widely commented on this decision. The CNIL (Commission Nationale Informatique et Libertés), for example, has issued recommendations advising higher education establishments to stop using “American tools for higher education and research”.
Examination of the German supervisory authorities of Microsoft 365
Recently, it was the German supervisory authorities that took an interest in Microsoft 365, particularly through the prism of personal data transfers to the United States.
In fact, the federal committee of German supervisory authorities has created a working group responsible for initiating discussions with Microsoft, so that Microsoft improves the compliance of its Microsoft 365 services with the requirements of the GDPR and the Schrems II decision.
Following several interviews with Microsoft, the findings, listed in a document published on November 24, 2022, focused on the contractual framework and data transfers to the United States.
A perfectible contractual framework
From the discussions between Microsoft and the German working group it emerged that the purposes of the processing and the categories of personal data processed are not sufficiently described in Microsoft’s contractual framework. The working group suggests, at this point, using the European Commission’s “Article 28” appendix to the standard contractual clauses, or integrating the recording of the controller’s processing activities into the contract.
Nor does Microsoft’s contractual framework sufficiently distinguish between processing carried out by Microsoft on behalf of its customers, on the one hand, and on its own account (in particular, “for legitimate business purposes” or for diagnostic purposes), on the other hand. , or on what legal bases said treatment is based.
The contractual framework also allows Microsoft to communicate its customer data to third parties, in a broader way than provided by the GDPR, potentially in violation of this regulation. The list of data destination countries is not exhaustive.
Even if this is not always possible in practice, it would be advisable for companies using Microsoft 365 services to negotiate contract terms in terms of data protection, in order to remedy these deficiencies.
Unavoidable data transfers to the United States
The contractual framework, which is still not exhaustive as to the countries to which personal data is transferred, nevertheless provides for the possibility of Microsoft transferring personal data to the United States, using standard contractual clauses.
Based on the task force’s findings, it is not possible to use Microsoft 365 without transferring personal data to the United States. In addition, in the context of this transfer, the personal data can be read by the recipient, so this transfer would not meet the requirements of the Schrems II judgment.
Towards a regularization of data transfers to the United States?
The complaints made to Microsoft by the German authorities regarding data transfers must be put into perspective with the latest statements from the European Commission.
It should be noted, in fact, that the personal data collection operations by the US authorities, the general nature of which motivated the Schrems II decision of 2020, were subject, by US presidential decree of October 7, 2022, to conditions of proportionality and of necessity.
The day after this decree, and based on it, the European Commission announced that it was working on an adequacy decision that will ensure compliance with transfers of personal data to the United States, as at the time, “Privacy Shield”. ” and “safe harbor” decisions.
This decision was drafted and published on December 13, 2022 and submitted to the EDPS (the group of European CNILs) for its opinion. Once this opinion has been issued, the adequacy decision will only be applicable after a process that will take it before a commission made up of representatives of the EU Member States and before the European Parliament.
Thus, at least in the eyes of the European Commission, the issue of personal data transfers to the United States is no longer really an issue. It remains to be seen if the Court of Justice of the European Union will agree.
Source: BFM TV
