DGerman data protection officers shy away from little, certainly not from American tech giants. At the end of November, the data protection conference, the body of independent data protection authorities in Germany, struck at Microsoft: It expressed serious concerns about the cloud-based software package Office 365, which is common in millions of offices. It was too opaque what was happening with the data on Microsoft’s servers. In the future, companies will have to ensure that customer and employee data is protected when using Word, Excel or teams. “It’s going to be difficult,” says the Baden-Württemberg data protection officer Stefan Brink, in whose state Office 365 can only be used in schools under strict conditions.
Microsoft itself immediately contradicted the interpretation of the conference and stated that the company follows the strict EU data protection rules. The view of the data protection officer is now apparently also supported by the federal government. This emerges from the answer to a small request from the CDU MP Marc Biadacz, which the FAS has received. It states: “The federal government basically shares the assessment of the data protection officer of the state of Baden-Württemberg, Stefan Brink, regarding the data protection problems when using Office 365 products from Microsoft in public administration.” There are “considerable difficulties to demonstrate the lawfulness of the processing of personal data”.
This lack of clarity creates particular difficulties for the federal institutions in proving that the data processing is taking place within the statutory purpose. This is the only way that “the processing of personal data in an environment of this kind is possible at all”. According to the Federal Government, the necessary tests are “intensive and involve considerable effort”.
According to its own statements, the federal government has “implemented measures that make the use of these products generally unnecessary for the federal government”. According to the government, most ministries are currently not using Office 365 or are only using it in pilot projects. The situation is different in the Federal Foreign Office of Foreign Minister Annalena Baerbock. According to the federal government, the software is used there as part of the “special requirements of foreign IT” – of all things in an office in which the secret services of other countries could be particularly interested. The Ministries of Environment and Economic Development also have licences. A request from the FAS as to how the use could be reconciled with the concerns of the government was left unanswered by the Federal Foreign Office at the time of going to press.
Criticism of the confusing situation comes from the opposition. CDU man Biadacz, who is a member of the Digital Committee of the Bundestag, demands: “Microsoft and the data protection officers must act now to quickly and transparently clear up the legal concerns.” At a time when municipal administrations in particular are doing an enormous amount must, it cannot be “that they also have to fundamentally convert their IT just to meet the data protection requirements”.