Is Microsoft 365 data protection compliant?

In Switzerland as well as in Germany and France, Microsoft 365 in particular is currently being criticised by data protection authorities. Last November, for example, the French Ministry of Education banned the use of the free Microsoft 365 offerings in schools on the grounds that they would violate the European General Data Protection Regulation (EU GDPR).

In Germany, however, the conference of the independent data protection supervisory authorities of the federal and state governments came to the conclusion that Microsoft 365 could not be considered compliant with data protection in principle. Microsoft, on the other hand, sees it differently: the data protection authorities would no longer pursue data protection in their criticism, but would elevate “data protection to a dogmatic end in itself”.

In Switzerland, meanwhile, the Zurich cantonal government caused a stir: In April 2022, the government council approved Microsoft 365 for the cantonal administration. Dominika Blonski, the data protection commissioner of the canton of Zurich, had signed off on the decision – but makes it clear: Despite this decision, the cantonal administration does not have a free pass to use Microsoft 365. Sensitive data must not be exposed to unlawful access by other authorities under any circumstances – and the Microsoft cloud cannot guarantee that, Blonski says in an interview. In general, the problem lies in the fact that Microsoft dominates the market for Office products, says the Zurich data protection commissioner, adding: “Switzerland also has to discuss how such dependencies can be broken as part of the discussions on digital sovereignty.”

However, SMEs should not only pay attention to the right settings, but also to the service contract with Microsoft. Furthermore, according to Korostylev, it is advisable for SMEs in particular to have a cloud exit strategy up their sleeve and to bear in mind that Microsoft intends to offer exclusively cloud-based delivery models from 2025.