Microsoft pushes the ‚data protection‘ – or: “Trust is good, but no carte blanche”

First of all – I’m not a lawyer. However, for me as well as for other involved and interested parties in the cloud environment the topic data protection is of essential significance. Hence, I followed up Microsoft’s press conference invitation.At this aforementioned event, Microsoft announced that it is going to make available new contractual documents for its Cloud offering ‘Office 365’ in the mid of December. These new documents are based on the so-called ‘Orientation Guide – Cloud Computing’ and got implemented into concrete contract terms, which comprise – beside other data protection provisions – the so-called ‘EU Model Clauses’.

And, in order to understand better the details as a non-lawyer, I recalled a presentation that was given by the lawyer Jan Schneider at the CloudConf in November 2011. This speech clarified the details in an uncomplex and clean-cut manner and highlighted potential problem-solving approaches. And just as Schneider did this at that time, so did Professor Dr. Peter Bräutigam explain the various challenges as well as the correspondent problem-solving approach with the standard contractual documents by Microsoft. And without a doubt, this is good news for many user corporations – because not each company that (potentially) intends to use the Office product can (or is willing) to fall back on an internal or external data protection officer respectively on lawyers that are specialized in the area of data protection.

So far, so good. Nonetheless, some thoughts crossed my mind while attending this event:

  • Hannes Oenning, responsible for data protection at Bertelsmann AG, just expressed exactly what I thought at this moment. Oenning annotated that Microsoft delivers now what he would deliver if he was a provider. Or in my words: Microsoft now takes the expectations of the lawmaker and puts these high standards on itself. In context, Microsoft sees itself as the ‘locomotive’ for cloud computing, even though it implements ‘just’ what is required according to law.
  • As for example Professor Bräutigam noted, many things were dispread regarding the quite complex topic data protection and its statutory provisions – and much was untruth. Subsequently, German businessmen are no ‘worriers’, how Microsoft often called them on its events – just because it is not such a simple topic to cut through, and not each user corporation does have adequate capacities at its disposal. I do hope this ends now, at least on part of Microsoft. In any case, I hope that this topic would be treated in a more matter-of-factly manner.
  • And also, the often mentioned fact that there is a strong data protection in Germany (and Europe) could also be seen and used as an advantage. Because, if user corporations – with the support of the providers – can cope with data protection laws in Europe, then other countries could adopt that. And for cloud service providers that operate in Europe, and which meet the data protection provisions, this offers an opportunity for a competitive advantage over other providers.
  • Undoubtedly, this complexity of the law required much work in detail from Microsoft – what, as mentioned beforehand, can be expected by the company. If then in addition, Ralph Haupter, chairman of the managing board of Microsoft Germany, mentions this offer needed ‘a high extent of listening and understanding’, then I only can hope that those two qualities are nothing new for the company.

Finally, it can be stated that this initiative is a good and important step in supporting user corporations to act legally compliant. But one – in my point of view very important – factor should be pointed out at all events – without diminishing the very helpful of such documents: this is no carte blanche for user corporations! Because the cloud user is still responsible for meeting all data protection provisions.

Furthermore, the existence of certificates and so on does not release the cloud user of his monitoring liabilities. In the end it has to be investigated in each individual case to what extent the cloud service can be used legally compliant.

In this respect the cloud does not differ from other usage models…

Download PDF

Comments are closed.