“The use of Microsoft software by authorities is illegal” and “Authorities should immediately stop using Microsoft” dominated the headlines following a recent press release issued by Heinz Müller, a German state Data Protection Commissioner.
With these statements, the commissioner is essentially taking the same stance that a group of federal and state data protection officers had already indicated at a conference last September. The matter has additionally been discussed in numerous EU countries, as clearly indicated in a public paper released by the EDPS (European Data Protection Supervisor). The criticism focuses on Microsoft cloud services, Microsoft 365, as well as other operating systems, office applications, and video conferencing solutions supplied by providers based outside of the EU. European data guardian’s view is that regular use of such services allows the flow of personal data to third parties who lack a sufficient legal basis for accessing it.
Last autumn however, certain data protection representatives were not all on the same page. At that time, nine members of the data protection conference were of the opinion that utilizing such services was not in line with data protection regulations. This in contrast to the remaining eight members who voted against the position of the other nine. Nevertheless, all members saw potential for improvement, especially in light of the CJEU’s “Schrems II” decision on the US Privacy Shield in July 2020.
Tips for implementing the GDPR provisions
This discord makes it clear how much opinions differ with regard to assessing the legality of cloud services. We have compiled this useful list of tips to detail what you need to consider when assessing the legal certainty of the cloud services you use. The web page also provides a free questionnaire to use to check whether cloud service providers are processing data in compliance with the GDPR.
According to Heinz Müller companies are left with only one option – using open source products to ensure data protection and safeguard the digital sovereignty of government agencies and authorities. All services provided by Retarus – whether it’s the Secure Email Platform, the Communications Platform or the Business Integration Platform – can be run in compliance with GDPR, even in conjunction with cloud services provided by commercial suppliers such as Microsoft, SAP, Oracle, or any open source systems. All data belonging to European customers is processed exclusively in data centers located in Europe and operated by Retarus itself, unless otherwise contractually agreed upon.