Co-Authored By Damian Murphy and Debora Motyka Jones
In our four-part blog series on Schrems II and its impacts, we have already given the state of data transfers in light of the Schrems II decision as well as some practical tips on how to conduct a risk assessment. In sum, the foundation upon which companies have transferred data overseas for the last half-decade was recently shaken. Companies are left with no good legal options for data transfer so, instead, they need to make calculated risk assessments based on business need and convenience versus compliance with an unknown and quickly changing legal landscape.
For those companies who have chosen Microsoft as their cloud provider, Microsoft has taken additional steps to alleviate some of the risks. In addition, there are some specific supplementary measures companies can take in their Microsoft 365 (M365) environment to mitigate some risk. In this third part of our series, we will consider the position if you are analysing data transfers that take place using M365, Microsoft’s flagship software-as-a-service tool, which is in use by many entities operating within Europe.
It is worth pointing out that Microsoft has responded quickly to the upheaval. The EDPB issued its supplementary measures on November 11th, 2020, and by November 19th, Microsoft issued a press release entitled “New Steps to Defend Your Data.” Microsoft explained it was strengthening the rights of its public sector and enterprise customers in relation to data by including an Additional Safeguards Addendum into standard contractual terms. That addendum would give contractual force to the new steps Microsoft laid out in terms of defending customers’ data, namely that Microsoft:
- will challenge every government request for public sector or enterprise data from any government where there is a lawful basis for doing so; and
- will compensate a public-sector or enterprise-customer user if data is disclosed in response to a government request in violation of the GDPR.
Microsoft pointed out that these commitments exceeded the EDPB’s recommendations (presumably referring to the contractual supplementary measures in the EDPB guidance). These changes have received a mixed response, but it is interesting to see that the data protection authorities within three of the German states (Baden -Württemberg, Bavaria, and Hesse) issued a joint opinion that this was a move in the right direction since it included significant improvements for the rights of European citizens and was a clear signal to other providers to follow suit.
So at a macro level, Microsoft has taken very public steps. However, that does not remove the need to carry out the analysis set out by the EDPB or, in general, carry out a risk assessment to give you a thorough understanding of any risks associated with using M365. Here are some specific considerations to keep in mind:
- As to the first step of the EDPB recommendations, identifying your data transfers, it is our understanding that Microsoft will shortly be publishing more detailed data maps which will help.
- The Microsoft white paper on the necessary elements for monitoring, securing, and assessing cloud storage is a very helpful resource. An updated version of this is also expected shortly.
- As part of your assessment, you should review the Microsoft Online Services Data Protection Addendum, in particular, the Data Transfers and Location sections, and the amended terms arising from Microsoft’s recent press release.
- When carrying out your risk assessment or transfer impact assessment, you should consider carefully the extent to which M365 can be configured to reduce the amount of personal data leaving Europe. More specifically, there are six areas upon which you could focus:
- Multi-geo: With multi-geo, a company operating in Europe can choose to have its Exchange Online (i.e., email), its SharePoint Online, and its OneDrive for Business data stored, at rest, within Europe. Multi-geo reduces the amount of data that would be transferred to the US in comparison to having the geo (Microsoft’s word for the central hub where data is stored) within the US. This is probably the most significant step a company can take to reduce data transfers.
- Choosing whether or not to enable applications: Certain applications such as Sway, Microsoft’s newsletter application, will have their data stored in the US irrespective of whether a company chooses to have a multi-geo setup. A company might weigh the pros and cons of each application, which involves data being stored in the US, and decide that it could operate without that application.
- Configuration settings at an application level: There are many settings within M365 at an application level that will vary the amount of data being generated and processed. Assessing each application in turn and deciding the specific configuration within that application can make a significant difference to the amount of personal data being created, moved, or stored. For more details on how to evaluate this for the popular collaboration tool, Teams, you can review this write-up.
- Encryption: Explore encryption thoroughly and look to implement it, if practical, as an additional technical safeguard. There a number of good resources explaining how encryption operates and the options available to add additional encryption. Here is a good starting point for learning about Microsoft’s encryption options.
- Customer lockbox: If you configure M365 so that the number of data transfers is reduced to the bare minimum, one area where transfers might still be needed is when there is a need for remote access by Microsoft engineers to provide support. Customer lockbox allows you to give final and limited approval for such access, which you can do after carrying out a specific risk assessment.
- Audit logs: All significant events in M365 are audited so you should put in place a review of audit logs to support any risk assessments that you complete.
It is also more than just good practice to put in place a retention policy within M365, it is essential to ensure that personal data is not being retained for longer than is necessary. Reducing the amount of personal data within an organisation reduces the risk of data breaches that could result in problems under the provisions of the GDPR.