German watchdog group reports Microsoft 365 violates GDPR child consent protections

Kareem Anderson

Microsoft and German federal and state data protection authorities are going back and forth over General Data Protection Regulations (GDPR) as the country looks to ban Microsoft 365 in schools.

The most recent dispute comes as the German Watchdog group Datenschutzkonferenz published a new report that states Microsoft remains in breach of GDPR despite two years of negotiations.

Datenschutzkonferenz’ issues with Microsoft 365 are two-fold with the first being a violation of cloud data sovereignty and the other having to do with adolescent data consent policies. GDPR stipulations state that children under 13 cannot consent to having their data collected and the Datenschutzkonferenz report claims that accessing Microsoft 365 by children automatically give Microsoft “access to unencrypted and non-pseudomized data.”

Microsoft disputes the DSK’s report with the following statement, “We ensure that our M365 products not only meet, but often exceed, the strict EU data protection laws. Our customers in Germany and throughout the EU can continue to use M365 products without hesitation and in a legally secure manner.”

However, over the past two years, Microsoft has attempted to make concessions to meet the demands of Germany’s DSK, but efforts have stalled with DSK claiming Microsoft has only changed its wording but not the actual way Microsoft 365 collects data, and Microsoft reiterating its commitment to addressing “any remaining concerns.”

While Microsoft is attempting to assuage fears the German DSK have over data access and collection, the company is realistically hamstrung by several US-based regulations that include the Lawful Overseas Use of Data Act (CLOUD Act) and FISA 702 which supersede foreign citizens’ rights to expedite data access when pursuing criminal investigations.

By their very nature, the CLOUD Act and FISA 702 require that Microsoft, Google, Apple, and other large scale international data traffickers “preserve, backup, or disclose contents of electronic communication or noncontent records.”

It is unclear where Microsoft and Datenschutzkonferenz go from here but unless the software giant can figure out a loophole to US-based regulatory policies dealing with international data, they and other companies will continue to potentially run afoul of GDPR standards in both broad and specific cases like those dealing with consent of minors.