Microsoft 365 under fire in Germany over privacy concerns

30 Nov 2022

Image: © Tobias Arhelger/

A report by German data protection regulators has found that Microsoft 365 may not comply with Europe’s data rules.

The French education ministry recently urged schools in the country to stop using free versions of Microsoft 365 over privacy concerns, and now a similar sentiment is brewing in Germany.

After looking into the software for around two years, a working group of German data protection regulators has found that Microsoft 365 may be incompatible with GDPR – and that Microsoft has not resolved any of the compliance concerns raised by the group so far.

The DSK – a steering body for Germany’s decentralised application of data protection law – has published a report on Microsoft 365’s compliance with specific sections of the EU’s data protection regulations.

This follows a move by the German state of Hesse, which in 2019 banned the use Microsoft 365 in schools after the local data protection commissioner ruled that the platform could potentially expose EU citizens’ data to US officials.

The new DSK report said it could not conclusively determine in which cases Microsoft acts as a data controller as opposed to just a data processor. Under EU law, a data controller has to abide by a more stringent set of accountability regulations.

It also pointed out that there isn’t sufficient clarity around measures Microsoft has taken to ensure the safety of any data exported to the US from the EU.

Matthias Pfau, founder of German encrypted email service Tutanota, said that online services from US companies are continuing to “trample” on GDPR more than four years after it came into effect.

“Obviously, large American corporations are putting up with any complaints and also penalties because the business model ‘use my service and I’ll use your data’ is extremely lucrative for them,” he said.

French lawmakers raised similar concerns recently, with one politician claiming that using the free version of Microsoft 365 is tantamount to illegal dumping, penalises other tech players and raises concerns about data sovereignty.

The French education ministry then said it had advised schools across the country to stop using free versions of Microsoft 365 and Google Workspace.

The ministry found the productivity services to be incompatible with the government’s ‘cloud at the centre’ policy based on Schrems II and the opinion of France’s data protection watchdog with regards to GDPR.

In response to the German report, Microsoft told TechCrunch that its 365 products “meet the highest industry standards for the protection of privacy and data security”.

“We respectfully disagree with the concerns raised by the [DSK] and have already implemented many suggested changes to our data protection terms. We remain committed to working with the DSK to address any remaining concerns.”

10 things you need to know direct to your inbox every weekday. Sign up for the Daily Brief, Silicon Republic’s digest of essential sci-tech news.

Vish Gain is a journalist with Silicon Republic