Microsoft faces New GDPR compliance challenges in Germany
October 20, 2022 | 4 minutes read
As the EU’s General Data Protection Regulation (GDPR) continues to function as one of the most rigorous data protection laws around the world, many large-scale corporations have been struggling to comply with the provisions of the law when providing their respective products and services to consumers that reside across the many countries that make up Europe. To this end, it was reported last week that multinational technology company Microsoft was facing a string of GDPR compliance challenges within the nation of Germany, as several of the company’s services have effectively been banned throughout the country.
Consequently, government officials within Germany have raised concerns about Microsoft’s off-premise data storage practices. More specifically, the provisions of The Clarifying Lawful Overseas Use of Data (CLOUD) act has led to a new wave of privacy concerns for EU member states that engage in business with U.S.-based companies. For context, the overwhelming majority of businesses within Germany store their personal data on-premise, as is the case with many other countries around the world. However, the CLOUD act permits companies to store their data in off-premises locations such as cloud storage systems, a practice that is in conflict with the provisions of the GDPR.
Microsoft and the CLOUD Act
To this last point, the GDPR requires that any business that collects personal data from consumers within an EU member state must ensure that this data is stored within a location within the applicable member state. As such, a business such as Microsoft that is serving customers within Germany must store this personal information within Germany, or face monetary fines and administrative penalties. Nevertheless, the enactment of the CLOUD Act in 2018 effectively created a loophole that major corporations such as Microsoft could use to circumvent the requirements of the GDPR.
To illustrate the potential impact that Microsoft’s decision to store the personal information of German citizens off-premise could have on the business’s future prospects within the country, the central German state of Hesse enacted a partial ban on Microsoft 365 within the school districts that are present within the area, as the information of the children that attend school within the state would not be stored in Germany under many circumstances. This is on top of additional concerns that have been raised regarding Microsoft’s handling of the personal data of minors within the country.
Privacy Shield Agreement
Due in large part to the issues of data protection and personal privacy as it pertains to the cross-transfer of personal information between U.S. states and EU member states, the two parties have been working together to craft an agreement that would enable businesses to store personal data in the manner they most see fit, while simultaneously providing consumers with the assurance that their information will remain secure at all times. Subsequently, the efforts culminated in the creation of the Trans-Atlantic Data Privacy Framework earlier this month.
Described as an effort to “safeguard commercial cross-border data flows”, the current data protection and personal privacy issues that divide government officials within the U.S. and the EU have existed long before the GDPR was passed. For this reason, the new Trans-Atlantic Data Privacy Framework stands to greatly impact the manner in which businesses such as Microsoft interact with consumers residing in EU member states such as Germany, as these consumers will now have access to a new framework that will provide them with additional privacy protections, as well as further information and clarity regarding the fashion in which their personal data will be stored.
While Microsoft has not been accused of violating the GDPR in any way, the issues that the technology company has faced in recent weeks highlight the ever-increasing need for a federal data protection law within the U.S. In spite of recent efforts to assuage these concerns, the fact of the matter is that citizens residing within EU member states will not be afforded the same level of protection as those that are residing within the U.S. states due to the inherent lack of privacy legislation that exists within the country. As such, the U.S. government will have to begin making serious efforts to improve the privacy protections that are afforded to the nation’s millions of citizens.