{"id":20725,"date":"2022-12-07T06:30:23","date_gmt":"2022-12-07T14:30:23","guid":{"rendered":"https:\/\/www.palada.net\/index.php\/2022\/12\/07\/news-14458\/"},"modified":"2022-12-07T06:30:23","modified_gmt":"2022-12-07T14:30:23","slug":"news-14458","status":"publish","type":"post","link":"http:\/\/www.palada.net\/index.php\/2022\/12\/07\/news-14458\/","title":{"rendered":"A compliance fight in Germany could hurt Microsoft customers"},"content":{"rendered":"

<\/p>\n

Credit to Author: eschuman@thecontentfirm.com| Date: Wed, 07 Dec 2022 04:32:00 -0800<\/strong><\/p>\n

If there are two things that should never mix, it\u2019s cybersecurity\/privacy compliance and corporate politics. And yet, that’s at the heart of a\u00a0compliance fight between Microsoft and German authorities that might wind up punishing the company’s customers.\u00a0<\/span><\/p>\n

The German Datenschutzkonferenz \u2014 the regulatory body entrusted to handle Germany\u2019s flavor of the European Union’s General Data Protection Regulation<\/a> (GDPR) \u2014\u00a0<\/span>has publicly declared<\/span><\/a> that \u201cno data protection-compliant use of Microsoft Office 365 was possible.\u201d <\/span><\/p>\n

That\u2019s about as absolute and bold a statement as I’ve ever seen from a compliance body.<\/span><\/p>\n

To be specific, the regulators didn\u2019t explicitly find violations of compliance rules as much as they found data paths Microsoft wouldn\u2019t sufficiently explain. These paths seemed to dump data onto U.S.-based Microsoft-controlled servers.\u00a0<\/span><\/p>\n

\u201cThe central and recurring question of the series of discussions was in which cases Microsoft acts as a\u00a0 processor and in which cases as a\u00a0 controller. This could not be conclusively clarified.<\/span> Controllers must at all times be able\u00a0 to demonstrate their accountability in accordance with Art.\u00a0 5 para.\u00a0 2 GDPR,\u201d the report said, and then added that they \u201ccontinue to expect difficulties, as Microsoft does not fully disclose which processing takes place in detail. In addition, Microsoft does not fully explain which\u00a0 processing takes place\u00a0 on behalf of the customer or which takes place\u00a0 for its own purposes. The contract documents are not precise in this respect and, as a result, allow processing that cannot be conclusively assessed, possibly even extensive for one’s own purposes.\u201d<\/span><\/p>\n

Not surprisingly, Microsoft disagrees and argues its products are software perfection.<\/span><\/p>\n

\u201cToday, the German Datenschutzkonferenz (DSK) published concerns about how Microsoft 365 (M365) complies with German and EU data privacy laws,” Microsoft said in a statement<\/a>. “We respectfully disagree with the DSK position as we ensure that our M365 products not only meet, but often exceed, the strong data privacy laws in the European Union.\u00a0<\/span>Our customers in Germany and across the EU can confidently use the M365 products in a legally compliant way to empower them to do more with less.\u201d<\/span><\/p>\n

Microsoft also pledged it would try and share more information about its processes (aka better transparency).<\/span><\/p>\n

\u201cWe take to heart the DSK\u2019s push for greater transparency, and while our documentation and transparency practices exceed those of most others in our space, we commit to doing even better,\u201d the company said. \u201cSpecifically, as part of our EU Data Boundary commitments, we will provide additional transparency documentation on customer data flows and the purposes of processing. We will also provide more transparency documentation on the processing and location by subprocessors and Microsoft employees outside of the EU.\u201d<\/span><\/p>\n

\u00a0<\/span>It\u2019s unclear whether Microsoft will be sufficiently transparent by explaining exactly how its dataflows work and why \u2014 and whether the company is willing to change them.<\/span><\/p>\n

So, what does this mean for Microsoft and, more importantly, for Microsoft enterprise IT customers?<\/span><\/p>\n

Let\u2019s start with Microsoft fallout. Compared with the US, Europe takes privacy and cybersecurity compliance very seriously. And it can be argued Germany has a reputation for taking compliance more seriously than anyone else in the EU or UK.<\/span><\/p>\n

In theory, that should mean serious consequences for the company. But according to Peter Hence,<\/span> a privacy specialist in Germany<\/span><\/a> who frequently works with the regulatory authorities, Microsoft is unlikely to be forced to make more changes or answer specific questions. Its software is simply so widely distributed that it would be politically unappetizing to force the issue.<\/span><\/p>\n

German compliance authorities \u201ccan live with the situation where Microsoft pretends to do everything right and the authorities pretend to have done everything in their power to force Microsoft to become compliant,\u201d Hence said in an interview with <\/span>Computerworld. <\/span><\/i>Microsoft \u201cdoes not fulfill the most basic requirements of GDPR. They lack basic transparency. We can\u2019t assess what they are doing because they are not telling us.\u201d<\/span><\/p>\n

This is where politics comes into play, wheret practical forces can influence government compliance actions. German regulators \u201care afraid of retribution. (With regulators thinking) we won’t get more budget if we say that you can\u2019t use Office any more. Or even Google Analytics, any more,\u201d Hence said. \u201cThese are poltical issues. Nobody wants to be the bad guy.\u201d<\/span><\/p>\n

Thus, Microsoft is likely to skate on the issue \u2014 at least for now. But what about enterprise IT execs? Are companies using Microsoft products immune from compliance punishments? Not necessarily. It might not seem fair to let Microsoft get away with this but to fine and otherwise punish its customers, but Hence argues that’s quite likely. And not just in Germany.<\/span><\/p>\n

\u201cIn Belgium, the Netherlands, Germany and elsewhere, there are ongoing cases against the customers of Microsoft products,\u201d Hence said.<\/span><\/p>\n

This brings us to even bigger enterprise IT compliance issue. Not that long ago, a popular IT adage was that no one can get fired for buying IBM. That meant sticking with the biggest tech providers usually shielded your purchase decisions to a major degree.<\/span><\/p>\n

In compliance, the same thinking suggests that when companies use Microsoft, SAP, Oracle, Google orone of the other big players, IT can assume the basics \u2014the most fundamental cybersecurity and compliance issues \u2014 have been taken care of (especially when it comes to something like GDPR).<\/span><\/p>\n

That was never a wise strategy but it certainly isn\u2019t one today. If Microsoft still has gaping holes in minimum-requirement compliance issues, it\u2019s a safe bet that the other major players do, too.<\/span><\/p>\n

To be blunt, your compliance is your compliance. Using big-name vendors won\u2019t protect you from regulatory nightmares. Authorities might not have the fortitude to go against those vendors, but making an example of a few Fortune 1000 enterprises is an entirely different story.<\/span><\/p>\n

http:\/\/www.computerworld.com\/category\/security\/index.rss<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"

<\/p>\n

Credit to Author: eschuman@thecontentfirm.com| Date: Wed, 07 Dec 2022 04:32:00 -0800<\/strong><\/p>\n

\n
\n

If there are two things that should never mix, it\u2019s cybersecurity\/privacy compliance and corporate politics. And yet, that’s at the heart of a\u00a0compliance fight between Microsoft and German authorities that might wind up punishing the company’s customers.\u00a0<\/span><\/p>\n

The German Datenschutzkonferenz \u2014 the regulatory body entrusted to handle Germany\u2019s flavor of the European Union’s General Data Protection Regulation<\/a> (GDPR) \u2014\u00a0<\/span>has publicly declared<\/span><\/a> that \u201cno data protection-compliant use of Microsoft Office 365 was possible.\u201d <\/span><\/p>\n

To read this article in full, please click here<\/a><\/p>\n<\/section>\n<\/article>\n","protected":false},"author":4,"featured_media":0,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"colormag_page_container_layout":"default_layout","colormag_page_sidebar_layout":"default_layout","footnotes":""},"categories":[11062,10643],"tags":[11063,1328,10516],"class_list":["post-20725","post","type-post","status-publish","format-standard","hentry","category-computerworld","category-independent","tag-data-privacy","tag-government","tag-microsoft"],"_links":{"self":[{"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/posts\/20725","targetHints":{"allow":["GET"]}}],"collection":[{"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/users\/4"}],"replies":[{"embeddable":true,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/comments?post=20725"}],"version-history":[{"count":0,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/posts\/20725\/revisions"}],"wp:attachment":[{"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/media?parent=20725"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/categories?post=20725"},{"taxonomy":"post_tag","embeddable":true,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/tags?post=20725"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}