A compliance fight in Germany could hurt Microsoft customers

If there are two things that should never mix, it’s cybersecurity/privacy compliance and corporate politics. And yet, that’s at the heart of a compliance fight between Microsoft and German authorities that might wind up punishing the company’s customers. 

The German Datenschutzkonferenz — the regulatory body entrusted to handle Germany’s flavor of the European Union’s General Data Protection Regulation (GDPR) — has publicly declared that “no data protection-compliant use of Microsoft Office 365 was possible.”

That’s about as absolute and bold a statement as I’ve ever seen from a compliance body.

To be specific, the regulators didn’t explicitly find violations of compliance rules as much as they found data paths Microsoft wouldn’t sufficiently explain. These paths seemed to dump data onto U.S.-based Microsoft-controlled servers. 

“The central and recurring question of the series of discussions was in which cases Microsoft acts as a  processor and in which cases as a  controller. This could not be conclusively clarified. Controllers must at all times be able  to demonstrate their accountability in accordance with Art.  5 para.  2 GDPR,” the report said, and then added that they “continue to expect difficulties, as Microsoft does not fully disclose which processing takes place in detail. In addition, Microsoft does not fully explain which  processing takes place  on behalf of the customer or which takes place  for its own purposes. The contract documents are not precise in this respect and, as a result, allow processing that cannot be conclusively assessed, possibly even extensive for one’s own purposes.”

Not surprisingly, Microsoft disagrees and argues its products are software perfection.

“Today, the German Datenschutzkonferenz (DSK) published concerns about how Microsoft 365 (M365) complies with German and EU data privacy laws,” Microsoft said in a statement. “We respectfully disagree with the DSK position as we ensure that our M365 products not only meet, but often exceed, the strong data privacy laws in the European Union. Our customers in Germany and across the EU can confidently use the M365 products in a legally compliant way to empower them to do more with less.”

Microsoft also pledged it would try and share more information about its processes (aka better transparency).

“We take to heart the DSK’s push for greater transparency, and while our documentation and transparency practices exceed those of most others in our space, we commit to doing even better,” the company said. “Specifically, as part of our EU Data Boundary commitments, we will provide additional transparency documentation on customer data flows and the purposes of processing. We will also provide more transparency documentation on the processing and location by subprocessors and Microsoft employees outside of the EU.”

 It’s unclear whether Microsoft will be sufficiently transparent by explaining exactly how its dataflows work and why — and whether the company is willing to change them.

So, what does this mean for Microsoft and, more importantly, for Microsoft enterprise IT customers?

Let’s start with Microsoft fallout. Compared with the US, Europe takes privacy and cybersecurity compliance very seriously. And it can be argued Germany has a reputation for taking compliance more seriously than anyone else in the EU or UK.

In theory, that should mean serious consequences for the company. But according to Peter Hence, a privacy specialist in Germany who frequently works with the regulatory authorities, Microsoft is unlikely to be forced to make more changes or answer specific questions. Its software is simply so widely distributed that it would be politically unappetizing to force the issue.

German compliance authorities “can live with the situation where Microsoft pretends to do everything right and the authorities pretend to have done everything in their power to force Microsoft to become compliant,” Hence said in an interview with Computerworld. Microsoft “does not fulfill the most basic requirements of GDPR. They lack basic transparency. We can’t assess what they are doing because they are not telling us.”

This is where politics comes into play, wheret practical forces can influence government compliance actions. German regulators “are afraid of retribution. (With regulators thinking) we won’t get more budget if we say that you can’t use Office any more. Or even Google Analytics, any more,” Hence said. “These are poltical issues. Nobody wants to be the bad guy.”

Thus, Microsoft is likely to skate on the issue — at least for now. But what about enterprise IT execs? Are companies using Microsoft products immune from compliance punishments? Not necessarily. It might not seem fair to let Microsoft get away with this but to fine and otherwise punish its customers, but Hence argues that’s quite likely. And not just in Germany.

“In Belgium, the Netherlands, Germany and elsewhere, there are ongoing cases against the customers of Microsoft products,” Hence said.

This brings us to even bigger enterprise IT compliance issue. Not that long ago, a popular IT adage was that no one can get fired for buying IBM. That meant sticking with the biggest tech providers usually shielded your purchase decisions to a major degree.

In compliance, the same thinking suggests that when companies use Microsoft, SAP, Oracle, Google orone of the other big players, IT can assume the basics —the most fundamental cybersecurity and compliance issues — have been taken care of (especially when it comes to something like GDPR).

That was never a wise strategy but it certainly isn’t one today. If Microsoft still has gaping holes in minimum-requirement compliance issues, it’s a safe bet that the other major players do, too.

To be blunt, your compliance is your compliance. Using big-name vendors won’t protect you from regulatory nightmares. Authorities might not have the fortitude to go against those vendors, but making an example of a few Fortune 1000 enterprises is an entirely different story.