Germany has decided that Microsoft 365 is illegal

Telemetry and more

The user agreement for Microsoft 365 contains provisions that give the provider the right to use data from end users for various business purposes. An example of this is the general objective of ‘improving services provided’. In addition to telemetry data (about the operation and use of software and hardware configuration), this may also include personal data. Telemetry and diagnostic data are collected by Microsoft in large quantities, the task force is aware.

The Critical report Declaring Microsoft 365 illegal is only formally an assessment, not an actual decision leading directly to enforcement. It may well follow, but the question is when, how and by whom. These sorts of things can take a lot of time, implementing any remedial measures is complex and due to the EU-wide nature of the GDPR, enforcement may actually be ‘above’ country levels.

penetrated deeply

In practice, the use of Microsoft’s cloud services – like other US suppliers – has permeated the government sector, business, education and society. Banning and eliminating it will be difficult if not practically impossible. However, it is an expensive business.

A definitive conclusion just drawn up by a special task force of German privacy regulators DSK (Dadenschutzconference) followed over two years of research. Microsoft has also been consulted extensively. On September 22, 2020, an investigation into Office 365 (called the cloud offering) began. Later that year, it was cited by a task force set up by Microsoft. Between then and now, the cloud provider was forced to make some changes. However, these are not enough to avoid the now-vehement rejection by German regulators.