The widespread use of Microsoft in German companies poses a challenge for data protection officers. According to Detlef Schmuck: "Data protection is on fire in many German companies." Especially since the EU-US Privacy Shield was declared invalid two years ago.
"The role of data protection officers in companies will become more difficult in the new year," says data security expert Detlef Schmuck, managing director of the German data service TeamDrive GmbH. Above all, the widespread use of software from the US provider Microsoft in the German economy is an increasing problem because there is a risk that personal data will reach the USA. Since the European Court of Justice declared the transatlantic data protection agreement EU-US Privacy Shield invalid two years ago, data protection has had shaky feet in large parts of the German economy, says the TeamDrive boss.
Microsoft and the problem: Where is the data?
Detlef Schmuck: “The common Microsoft programs such as Windows, Teams, Office and 365 can only be used in accordance with the law in this country if the data management is consistently kept out of the USA. But that is exactly what is difficult because it requires detailed settings, in particular to keep Microsoft's own US data service OneCloud away from the installations. In addition, it is difficult to maintain a permanently legally compliant installation because Microsoft has the opportunity to reinsert OneCloud or change other settings with every update for every program. For example, there are concrete indications that Microsoft always automatically imports its US cloud service when updating Windows. The data protection officers must therefore continuously check whether their companies are still working in accordance with the General Data Protection Regulation or whether they have unintentionally become illegal through an update or other change. This is not an easy job for 2022.”
Responsibility for data protection officers, board of directors and management
In addition to the constant technical review, legal skirmishes on the subject of operational data protection could also be on the agenda for the year 2022, speculates Detlef Schmuck. He says: "It is to be expected that the US providers will try to prove that their offers are GDPR-compliant with ever new data protection clauses, reports, attestations and the relocation of cloud capacity to Germany. But US corporations such as Microsoft are ultimately subject to US legislation, and the European Court of Justice has ruled unequivocally that the low level of US data protection is incompatible with the high European requirements for the protection of personal data. Neither Microsoft nor any other US provider can currently bridge this fundamental gap, not even with so many legal sophistry. In the end, liability for data protection violations rests with the board of directors or the management of the local company – and of course with the data protection officer.”
More at Teamdrive.com