If there are two things that should never be mixed, it is cybersecurity/privacy compliance and company policy. And yet it is at the center of a compliance fight between Microsoft and German authorities that could end up punishing the company's customers.
The German Datenschutzkonferenz, the regulatory body responsible for administering the German version of the European Union's General Data Protection Regulation (GDPR), has publicly stated that "no data protection compliant use of Microsoft Office 365 was possible."
That is the most absolute and bold statement I have ever seen from a compliance agency.
To be specific, regulators have not explicitly found violations of compliance rules so much as they have found data paths that Microsoft would not sufficiently explain. These routes appeared to dump data on servers controlled by US-based Microsoft.
“The central and recurring question of the series of discussions was in which cases Microsoft acts as a processor and in which cases as a controller. This could not be conclusively clarified. Controllers must be able to demonstrate at all times their responsibility in accordance with art. 5 pair. 2 GDPR,” the report states, before adding that “difficulties continue to be expected as Microsoft does not fully disclose what processing is taking place in detail. Furthermore, Microsoft does not fully explain what processing is done on behalf of the customer or what is done for its own purposes. The contractual documents are not specific in this regard and therefore allow processing that cannot be conclusively assessed or even extended for your own purposes.
Unsurprisingly, Microsoft disagrees, arguing that its products are software perfection.
"Today, Germany's Datenschutzkonferenz (DSK) raised concerns about Microsoft 365 (M365)'s compliance with German and European data privacy laws," Microsoft said in a statement. "We respectfully disagree with DSK's position as we ensure that our M365 products do not meet, but often exceed, the strict data privacy laws of the European Union. Our customers in Germany and throughout the EU they can confidently use M365 products in a legally compliant manner to enable them to do more with less.
Microsoft also promised that it would try to share more information about its processes (ie more transparency).
"We take DSK's efforts for greater transparency very seriously, and while our documentation and transparency practices exceed those of most others in our space, we are committed to doing even better," the company said. “Specifically, as part of our EU data cap commitments, we will provide additional transparency documentation on customer data flows and processing purposes. We will also provide more transparent documentation of processing and tracking by sub-processors and non-EU Microsoft employees.
It's unclear if Microsoft will be transparent enough in explaining exactly how its data sources work and why, and if the company is willing to change them.
So what does this mean for Microsoft and, more importantly, for Microsoft enterprise computing customers?
Let's start with the Microsoft spin-offs. Compared to the United States, Europe takes privacy and cybersecurity very seriously. And it's safe to say that Germany has a reputation for taking compliance more seriously than anyone in the EU or the UK.
In theory, this should mean serious consequences for the company. But according to Peter Dorce, a privacy specialist in Germany who frequently works with regulators, it's unlikely Microsoft will be forced to make any more changes or answer specific questions. Their software is simply so widely distributed that it would be politically unattractive to force the issue.
German compliance authorities "can live with the situation where Microsoft claims to do everything right and the authorities claim to have done everything possible to force Microsoft to comply," he said in an interview with Computerworld. Microsoft “does not meet the most basic requirements of GDPR. They lack fundamental transparency. We cannot evaluate what they do because they do not tell us.
This is where politics comes in, where practical forces can influence government enforcement actions. German regulators “fear reprisals. (With the regulators thinking), we won't get more budget if we say you can't use Office anymore. Or even Google Analytics, plus,” Dorenvant said. “These are political issues. Nobody wants to be the bad guy.
So Microsoft is likely to skate on the issue, at least for now. But what about corporate IT administrators? Are companies using Microsoft products immune from compliance penalties? Not necessarily. It may seem unfair to let Microsoft off the hook and punish its customers, but hence the argument that it's very likely. And not only in Germany.
"In Belgium, the Netherlands, Germany and elsewhere, there are ongoing lawsuits against customers of Microsoft products," he said.
This brings us to an even bigger corporate IT compliance problem. Not long ago, a popular computer adage was that no one could get fired for buying IBM. This meant that sticking with the largest technology providers generally protected their purchasing decisions to a great extent.
In compliance, the same thinking suggests that when companies use Microsoft, SAP, Oracle, Google, or any of the other big players, IT can assume that the basics, the most basic cybersecurity and compliance issues, have been supported (especially when it's about something like GDPR).
It was never a wise strategy, but it certainly is not today. If Microsoft still has loopholes in minimum requirements compliance issues, chances are the other major players do too.
To be blunt, your fulfillment is your fulfillment. Using reputable providers will not protect you from regulatory nightmares. The authorities may not have the guts to go against these providers, but giving the example of some Fortune 1000 companies is a whole different story.
Copyright © 2022 IDG Communications, Inc.