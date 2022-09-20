has published a new version of its data processing agreement and has adopted current standard contractual clauses. Lawyers like that.

In the light of the Schrems II judgment of the European Court of Justice (ECJ) on international data traffic, Microsoft has once again revised its order processing contract. The current version of the “Microsoft Products and Services Data Addendum” (DPA) dates from September 15 and addresses the new requirements of the EU Commission. The addendum to the data protection declaration includes, among other things, data processing via the Microsoft 365 package, which is used in many companies and authorities despite some open source alternatives.

With the Schrems II judgment, the ECJ declared the transatlantic “Privacy Shield” and thus one of the most important bases for the transfer of customer data to the USA to be invalid. The so-called standard contractual clauses (SVK) remain as an alternative instrument for data transmission. The EU Commission therefore endeavored to adapt these rules to the case law of the Luxembourg judges. She released a new version in early June 2021.

Amended Standard Contractual Clauses

Microsoft has now deleted the old Commission SPC from 2010 in the new DPA and replaced it with the current version. This had become necessary simply because when the new standard contractual clauses came into force, data transfer to third countries could only have been based on the previous SVK until December 27, 2022, explain the lawyers Stefan Hessel and Christoph Callewaert from the Reuschlaw law firm in an article on Microsoft’s social media portal LinkedIn.

The two lawyers report that the new SVK, which is the only valid new SVK, is completed in Module 3 on transfers from processors: “Transfers to third countries are therefore carried out by Microsoft Ireland as the data exporter.” Google, for example, had already made the new standard contractual clauses available for its cloud services a year ago.

This goes hand in hand with guarantees for the first time “to regulate any effects of the laws of the third country of destination” on the compliance of the clauses by the data importer. Above all, it is important to clarify in advance “how to deal with binding requests from authorities in third countries for the transfer of transmitted personal data”. Users of the new SVK must also name the measures taken to keep the amount of personal data as small as possible, pseudonymised and encrypted before a transfer.

Microsoft has also specified which data is used for its own purposes. The US group explains, for example, aggregating statistical, non-personal data from pseudonymised data and creating statistics. He assures that he will not access the content of customer data and will not analyze it. Previously mentioned purposes such as the fight against fraud, cybercrime or hacker attacks are no longer found here.

Disclosure of Processed Data

The disclosure of processed data – especially to government authorities – is one of the most discussed and controversial aspects of data protection at Microsoft 365, write Hessel and Callewaert. In addition to the existing guarantees, such as examining every single government request for personal data and contesting the legality if there are doubts, Microsoft once again makes it clear in the new DPA that the standard for any disclosure of information is the General Data Protection Regulation ( GDPR) is. Disclosures were thus “unmistakably based on the standard of European law”.

Furthermore, the software giant emphasizes that it itself carries out the impact assessment for data transfers to third countries such as the USA as an exporter. The assessment of the legal situation in the respective country outside the EU and the guarantee of an appropriate level of data protection is primarily the responsibility of Microsoft.

The two lawyers rate the adjustments as “positive overall”. At least the group has “addressed several points of criticism from the supervisory authorities” regarding the contractual agreements and made a clear reference to the GDPR. In principle, “a data protection-compliant use of Microsoft 365” together “with a data protection impact assessment and suitable technical and organizational measures to reduce risks” is possible. Those responsible should therefore – also against the background of the current reviews of the use of Microsoft 365 by the data protection supervisory authorities – consider concluding the new DPA via an additional agreement.

Compliance with data protection regulations

The data protection conference of the federal and state governments (DSK) had decided in 2020 that “no data protection-compliant use of Microsoft Office 365 is currently possible”. For more than six months, experts from the panel had previously checked whether the data protection regulations and online terms and conditions for the cloud-based software package were compatible with Article 28 of the GDPR on order data processing. Her result was negative. Anyone who uses the cloud version of Word, Excel, Powerpoint or Teams without making any adjustments is therefore not acting in accordance with the law.

The online service terms (OST) as well as the audited DPA from January 2020 complained that the types of personal data and the purpose why they are processed remain unclear. It is therefore also not possible to determine any separate data protection requirements and risk levels. Such information should actually already be apparent from the order processing contract. However, critics of the decision have repeatedly pointed out that the DPA used no longer corresponds to the current status at Microsoft.

