I like this guy's videos on data protection and GDPR... informative and useful. Good one on 'legitimate interests' assessments.

https://www.youtube.com/watch?v=1T4dZi-PXuY

#dataprotection #gdpr #ico #legitimateinterests

Reading through the recent @dsk decision against M365 and let's just say, deep sigh.

First off, nothing good ever starts from a conclusion like this: "The evaluation of the AK Verwaltungs came to the conclusion that "on the basis of these documents, no data protection-compliant use of Microsoft Office 365 is possible"

Page 2 is breathtaking in how it admits (unless my machine translation is wrong, and #teamdatenschutz , please correct me if I'm wrong) that it considered _nothing_ other than "an assessment limited solely to selected legal requirements of the GDPR, but not a complete data protection assessment of the Microsoft 365 cloud service, b) essentially an investigation based on the six from the AK Verwaltungs 2020 identified contractual defects."

So, no technical analysis at all. Nary an investigation into how M365 is being used, or even the entire relevant #contract.

For the love of cats, I really hope the machine translation is just buggy, because if not, that is appalling.

Pages 3-4 discuss a major complaint -- the DSK's objection by Microsoft of the #legitimateInterests basis for #processing #PersonalData.

Page 4 also discusses the (lack) of improvements between the regulatory working group and #Microsoft particularly around the type and #purposes of #processing data and the types of personal data being processed. This admittedly, does seem like an easy fix, and I'm not entirely sure what Microsoft's representatives were so hostile to making this change. It's basic #transparency.

Page 5 calls out the telemetry and diagnostic data. On this, I wish the DSK had gone into greater detail. That's one area where it all feels very shadowy to me.

I'll admit here that the machine translation of Sec. 3.3, para 2 likely isn't clear. I'm not entirely following why Microsoft, as a processor, would be responsible for issuing instructions ... to the customer/#controller? I honestly dont' know.

Page 6, Sec. 3.6 - the DSK calls out that updates to sub-processor lists include only 'planned changes' but not specifics on the 'planned changes' to subprocessors. If by specifics, they mean more details on the sub-processor's processing, I can understand. Otherwise, I've no idea what they're getting at here.

Page 7, Sec. 3.7 - now we get into the real meat of things: Any use of M365 involves a #transfer of data to the United States, and that makes everyone sad.

One useful note: Allegedly, Microsoft's #EUDataBoundary will maybe possibly launch in December of this year!

The DSK also reaches a sensible conclusion but without the necessary introspection: Namely that "the supervisory authorities have so far not been able to identify additional protective measures that could lead to the legality of the data export" as you can't process only encrypted data in all contexts everywhere. When data is in use, it's almost always in cleartext.

Maybe if they say it a bit louder, that would help.

After reading all of this, I have no idea how this will play out. Obviously, the German DPAs have no authority to bar Microsoft in Europe (that's Ireland's call). But they can cause endless amounts of pain for German conrollers wishing to use M365, which is probably most of them.

Unsurprisingly, they offer _no_ solutions to this legal hell -- a few parting notes about how the EU Data Boundary might be a thing, or the US #TADPF might help (or not).

Hopefully, smarter folks than I can offer some guidance on how to sort this one out.

cc: @wchr @dataprotection @DataProtectionNerd @floort @neil @DaraghOBrien @robertbateman@mastodon.social