Is Microsoft 365 GDPR-compliant? Spoiler alert: no

Is Microsoft 365 GDPR-compliant? Spoiler alert: no

Ever since the introduction of the GDPR in 2018, there has been a lot of discussion about whether services like Microsoft 365 are compliant with these privacy regulations. We've written extensively about that before, and the answer so far has always been 'no'.

But on Jan. 1, 2023, Microsoft says it has put up a 'data border' between the U.S. and Europe. With that, Microsoft claimed it would be fully GDPR-proof with its Microsoft services Azure, Microsoft 365, Dynamics 365 and Power BI. But is that really the case?

Thanks to that new data border, the data of business European customers is no longer stored in the U.S., but only in Europe. That's already a win. The problem was that because of the US Cloud Act, all information on servers in the US must be accessible to US intelligence agencies. In other words, your data is not safe because the intelligence agencies can see everything.


The Cloud Act and what it means for Europe

Watch our free webinar with GDPR and data privacy expert, Alexander Hanff.


US regulations remain a problem

Microsoft's change to use only European servers would be the solution to this issue. But unfortunately for Microsoft, U.S. regulations continue to throw a spanner in the works. Because although U.S. authorities cannot have physical access to a server in Europe, they can still legally require any U.S. company to allow full access to stored data. And that means this is true even if those servers are in Europe, or anywhere else in the world.

So, this latest change from Microsoft doesn't actually change anything. You need to take extra measures to use Microsoft's products and be GDPR-Compliant. The easiest and most secure solution, is to use Zero Knowledge End-To-End encryption.


Encryption is the only solution

By encrypting data so that only the sender and receiver can read a message, you ensure that if someone gains access to the data on the server, they still can't do read it. Even someone with physical access cannot do anything with a server on which all the data is encrypted with Zero Knowledge end-to-end encryption.

Microsoft's services are still not 100% GDPR-proof, as U.S. authorities can even demand access to servers of U.S. companies located abroad.

So the answer to whether Microsoft's online services are really GDPR-proof is still a definite 'no'. But fortunately, you can use Zero knowledge end-to-end encryption to make it an GDPR-proof service yourself. How exactly this form of data security makes a difference, you can read in this blog.

Want to know how easy Smartlockr can turn Microsoft into a GDPR-compliant solution? Book your free demo below.

Free email security walkthrough

Similar posts