Image: iStock
For the past two years, Microsoft has been engaged in talks with the German data protection authority. The Datenschutzkonferenz (DSK) then determined that Microsoft’s Office package does not comply with the GDPR.
During those two years, however, they have hardly been idle at Microsoft. In an 8-page statement, the DSK says that there are already many improvements in Microsoft’s policy compared to two years ago. Nevertheless, the privacy watchdog is critical and says that Microsoft must do more if it wants to comply with the GDPR.
For example, the DSK pushes forward the privacy statement of 365 applications. It would not be stated clearly enough what exactly Microsoft does with user data and how it processes this data. As a result, says the DSK, Microsoft cannot demonstrate that it is using that data in a lawful manner – and that is against the rules of the GDPR. The computer giant must therefore become more transparent about its data processing.
Another problem is the storage of European user data on American servers. At the moment it is impossible to use Microsoft 365 without sending your data to America. The document does state that all data will also be stored in Europe from December 2022, although it is still possible that certain data will be sent across the ocean. The DSK therefore says that these EU servers are a development in the right direction. Nevertheless, according to the organization, it is also necessary to keep an eye on them.
Response from Microsoft
California responded to the DSK’s findings. In its own statement, Microsoft says it disagrees (“respectfully disagree”) with the findings of the DSK. The publisher of the office suite says that its services not only comply with the GDPR, but actually even exceed certain requirements. Microsoft also says that it is more transparent than many tech companies already are.
Microsoft does say that it wants to become even more transparent than it already is and that it will do the necessary work in the future. Incidentally, they don’t really lose sleep over the DSK’s decision in America. The software giant says it has confidence in 2023. Partly due to a new law that lays down privacy laws between the EU and the US, they expect to receive a positive GDPR evaluation next year.
