Why Microsoft 365 is not secure despite EU approval

The EU Data Protection Supervisor's decision that there are no data protection concerns regarding the use of Microsoft 365 by the European Commission is legally comprehensible. The reason: it refers to the continuing adequacy decision between the United States and the European Union, according to which a level of data protection comparable to European rights prevails in the USA. In fact, however, it means nothing other than that the US is officially content to help transatlantic data protection only on paper.

Dennis-Kenji Kipker

Dennis-Kenji Kipker ist Professor für IT-Sicherheitsrecht an der Hochschule Bremen und arbeitet dort an der Schnittstelle von Recht und Technik in der Informationssicherheit und im Datenschutz.

First of all, this decision only applies to the EU Commission itself, which has reportedly taken considerable additional technical and organizational measures to secure its data. Furthermore, it ignores an elementary fact: the adequacy decision stands on more than just feet of clay. Immediately after US President Donald Trump took office, three members of the Privacy and Civil Liberties Oversight Board (PCLOB) were asked to leave the body –, which means that the quorum for the decision-making capacity of this body, which is an essential component of the current EU-US Data Privacy Framework, was missing.

And that's not all: in the past, both under the predecessor agreements Safe Harbor and Privacy Shield, it regularly became clear that US companies did not comply with the agreement due to lax control structures or that the requirements were not properly enforced by US authorities. It was not without reason that the European Court of Justice overturned both agreements within a short space of time.

To now invoke Microsoft's EU data border in order to guarantee data security and data protection in the transatlantic relationship is nothing more than closing one's eyes to the massive problems that still exist. And the question is also why a so-called data border is needed at all if the level of data protection in the United States corresponds to the European guarantees. After detailed analysis, this data limit is no better than a Swiss cheese, as Microsoft's lawyers formulated it so vaguely from the outset that almost any type of data transfer is possible for countless purposes. Ultimately, neither the customer nor Microsoft itself decides what actually happens with this data.

Actual problems remain

In this respect, the decision of the EU Data Protection Supervisor may still be legally correct, at least for the time being. However, it is disappointing in substance, as it does not deal with the actual problems. And if comments are now being made everywhere that this provides official European proof that Microsoft cloud products can be used by anyone in a legally secure manner, this is misleading: for one thing, the cloud use of the EU Commission and co. is not comparable with the standard Microsoft product for SMEs. Secondly, the EU Data Protection Commissioner has no competence to assess the legality of data processing by national companies in Germany (and elsewhere) – as this is the responsibility of the state data protection commissioners, who may take a completely different view in case of doubt. This decision does not send out a signal in the slightest.

And even if, despite everything, the European Data Protection Supervisor's reasoning is followed, the question arises as to how long such a decision will be valid. So far, the data protection adequacy decisions between the EU and the USA have never been a guarantee of eternity for transatlantic data exchange. On the contrary: in view of political developments worldwide, EU authorities and companies should not take this decision as a template, but rather as a warning about how uncertain transatlantic data protection actually is.

()