German watchdog group reports Microsoft 365 violates GDPR child consent protections

News

Reading time icon 2 min. read

Calendar icon Published on

by Kareem Anderson 

published on

Share this article

Readers help support Windows Report. We may get a commission if you buy through our links. Tooltip Icon

Read our disclosure page to find out how can you help Windows Report sustain the editorial team Read more

Microsoft and German federal and state data protection authorities are going back and forth over General Data Protection Regulations (GDPR) as the country looks to ban Microsoft 365 in schools.

The most recent dispute comes as the German Watchdog group Datenschutzkonferenz published a new report that states Microsoft remains in breach of GDPR despite two years of negotiations.

Datenschutzkonferenz’ issues with Microsoft 365 are two-fold with the first being a violation of cloud data sovereignty and the other having to do with adolescent data consent policies. GDPR stipulations state that children under 13 cannot consent to having their data collected and the Datenschutzkonferenz report claims that accessing Microsoft 365 by children automatically give Microsoft “access to unencrypted and non-pseudomized data.”

Microsoft disputes the DSK’s report with the following statement, “We ensure that our M365 products not only meet, but often exceed, the strict EU data protection laws. Our customers in Germany and throughout the EU can continue to use M365 products without hesitation and in a legally secure manner.”

However, over the past two years, Microsoft has attempted to make concessions to meet the demands of Germany’s DSK, but efforts have stalled with DSK claiming Microsoft has only changed its wording but not the actual way Microsoft 365 collects data, and Microsoft reiterating its commitment to addressing “any remaining concerns.”

While Microsoft is attempting to assuage fears the German DSK have over data access and collection, the company is realistically hamstrung by several US-based regulations that include the Lawful Overseas Use of Data Act (CLOUD Act) and FISA 702 which supersede foreign citizens’ rights to expedite data access when pursuing criminal investigations.

By their very nature, the CLOUD Act and FISA 702 require that Microsoft, Google, Apple, and other large scale international data traffickers “preserve, backup, or disclose contents of electronic communication or noncontent records.”

It is unclear where Microsoft and Datenschutzkonferenz go from here but unless the software giant can figure out a loophole to US-based regulatory policies dealing with international data, they and other companies will continue to potentially run afoul of GDPR standards in both broad and specific cases like those dealing with consent of minors.

Kareem Anderson

Kareem Anderson Shield

Networking & Security Specialist

Kareem is a journalist from the bay area, now living in Florida. His passion for technology and content creation drives are unmatched, driving him to create well-researched articles and incredible YouTube videos. He is always on the lookout for everything new about Microsoft, focusing on making easy-to-understand content and breaking down complex topics related to networking, Azure, cloud computing, and security.