A public spat between Microsoft and the Berlin Data Protection Commissioner in May 2020 highlighted the privacy issues surrounding the use of videoconferencing services like Zoom, Microsoft Teams or Skype. One of the bones of contention was whether the European DSGVO and other European or national laws would take precedence over US law if a conflict between these two legal spheres were to arise. The controversy also showed how differently data-protection actors assess the significance of well thought-through privacy policies and of comprehensive data protection arrangements.
Berlin Data Protection Commissioner Maja Smoltczyk (full title: Berliner Beauftragte für Datenschutz und Informationsfreiheit) published two documents on her official website on 30 April 2020 in which she commented on the use of videoconferencing services during the Covid-19 crisis. In her “Memorandum” (Vermerk), the original version of which is no longer online, she mentioned that using the videoconferencing services Microsoft Teams as well as Skype for Business Online carries legal and privacy risks.
According to German news service t–online.de, which broke the story, Microsoft responded by sending the commissioner a cease-and-desist letter (Abmahnung) on 5 May 2020, requesting the authority to “remove incorrect statements as quickly as is technically possible, and to withdraw them” (unrichtige Aussagen so schnell wie technisch möglich zu entfernen und zurückzunehmen).
Microsoft additionally issued a publicly available press release on 6 May 2020, in which it stated that “Microsoft Teams und Skype for Business Online can be used for conversations and content of a sensitive nature without any reservations” (können ohne Einschränkung auch für sensible Gespräche und Inhalte genutzt werden).
Microsoft also added that “by design, Microsoft Teams und Skype for Business do not enable anyone to carry out wire tapping. Furthermore, Microsoft does not carry out wire tapping—defined as the systematic and content-based collection of content data—in the course of operating Microsoft Teams and Skype for Business Online” (Microsoft Teams und Skype for Business sehen keine Abhörmöglichkeiten vor. Ein Abhören, als das systematische und inhaltsbezogene Erfassen von Inhaltsdaten, findet auch im Rahmen des Betriebs von Microsoft Teams und Skype for Business Online durch Microsoft nicht statt.)
What Berlin’s Data Protection Commissioner actually said
The data protection commissioner’s comments (which were reissued in a slightly altered version on 22 May 2020) were addressed to “companies, public authorities, and other institutions subject to its supervision” (Unternehmen, Behörden und andere ihrer Aufsicht unterliegende Institutionen). The comments were therefore mainly addressed to educational establishments, companies and public authorities in the city state of Berlin. The commissioner’s statements were intended “to provide advice on the requirements that apply to the use of videoconferencing systems, and to describe the risks that may be incurred if such requirements are not observed” (Hinweise zu den Anforderungen an die Nutzung von Videokonferenzsystemen zu geben und die Risiken zu beschreiben, die entstehen, wenn sie nicht eingehalten werden).
Among the risks, the commissioner counted the fact that “the provider of the videoconferencing system may make a recording of the call or the conference, be it for his own purposes or because a public authority requires him to do so” (der Betreiber des Videokonferenzsystems selbst kann ein Interesse haben oder behördlich dazu verpflichtet sein, einen Mitschnitt anzufertigen). Personal health data and data on political views were described as particularly sensitive data that might fall into the wrong hands (das Risiko ist am größten, wenn in dem Austausch sensible Themen angesprochen werden wie z.B. der Gesundheitszustand oder die politischen Auffassungen einer Person.)
After some general comments on the privacy risks associated with using supposedly European videoconferencing services that actually process substantial amounts of data outside Europe, the commissioner described two videoconferencing business models that Berlin institutions, public authorities and companies should steer clear of:
1) providers that solely act as resellers of services that are actually provided by companies from the United States (Anbieter, die lediglich als Wiederverkäufer von Leistungen US-amerikanischer Unternehmen fungieren), and
2) providers that provide a significant proportion of the service through a non-European company that is part of the same group of companies (andere lassen einen wesentlichen Teil der Dienstleistung von außereuropäischen Unternehmen der gleichen Unternehmensgruppe erbringen).
Even if Berlin companies, institutions and public authorities possess a European contractual partner in each of the above cases , the commissioner warned that this was no guarantee that the actual provider would comply with European law, rather than with the law of its country of establishment, should a conflict between the two legal spheres arise (In den beiden letztgenannten Fällen gewinnen Sie zwar einen europäischen vertraglichen Ansprechpartner. Jedoch ist auch dadurch nicht sichergestellt, dass der Anbieter sich im Konfliktfall an EU-Recht hält und nicht an sein lokales Recht.)
Commissioner Maja Smoltczyk then specifically mentioned Microsoft Corporation, headquartered in the United States, (and its videoconferencing service Microsoft Teams) as well as the Microsoft subsidiary Skype Communications S.à.r.l., domiciled in Luxembourg, as examples.
German consumer safety group heavily criticises privacy policies
Stiftung Warentest slammed the privacy policies of all twelve providers it had tested in no uncertain terms: “The providers show no sign of ever having seriously concerned themselves with the European General Data Protection Regulation (GDPR). Furthermore, Google’s and Microsoft’s documents are unreasonably long (Anbieter lassen keine ernsthafte Befassung mit der europäischen Datenschutzgrundverordnung (DSGVO) erkennen. Die Dokumente von Google und Microsoft sind außerdem unzumutbar lang.)
So what do the privacy policies actually say? The Microsoft Privacy Statement that applies to Teams whenever it is used for free is simply the generic Microsoft privacy statement. Among other things, the Privacy Statement contains the following wording under the heading “How we use personal data”:
“In particular, we use data to: […] advertise and market to you, which includes sending promotional communications, targeting advertising, and presenting you with relevant offers.”
“We also use the data to operate our business, which includes analysing our performance, meeting our legal obligations, developing our workforce and doing research.”
“In carrying out these purposes, we combine data we collect from different contexts (for example, from your use of two Microsoft products) or obtain from third parties.”
“Our processing of personal data for these purposes includes both automated and manual (human) methods of processing. Our automated methods often are related to and supported by our manual methods.”
In a blog entry of 17 May 2020—referenced in a positively-rated comment on a news story that appeared on the influential German computer news site Heise Online—Matthias Eberl, a well-known German data-protection journalist, commented on the “uselessness”, as he saw it, of the generic Microsoft privacy statement for the use of Teams: “The GDPR requires that data must be processed in a comprehensible way. The manner of processing must be clearly explained; a generic description is too unclear. One can deduce everything and nothing from it, e.g. that ‘Microsoft analyses video data with AI and then uses the data for research’. What does this mean?” (Die DSGVO erfordert, dass Daten in nachvollziehbarer Weise verarbeitet werden. Dies muss präzise dargestellt werden, eine generische Darstellung ist zu unklar: Man kann alles und nichts herauslesen, zum Beispiel, dass Microsoft Videodaten mit KI analysiert und dann für Forschung verwendet. Hm?).
Microsoft’s DPA, and the guarantees provided therein
With regard to private persons using Teams at no cost it might be true that the generic Microsoft privacy statement is too unspecific about the way their personal data will be used. In its press release of 6 May 2020, Microsoft—speaking about companies as customers—stated, however, that “the Online Service Terms and the Data Protection Addendum (“DPA”), which are available on our website in the German language as well, contain all the contractual details required by applicable European data protection law (die Online Service Terms und das Data Protection Addendum (“DPA”) – die auf unserer Webseite auch in deutscher Sprache zur Verfügung stehen – enthalten alle nach dem geltenden europäischen Datenschutzrecht erforderlichen vertraglichen Inhalte).
The Microsoft download website (last accessed on 17 June 2020) further clarifies: “When you subscribe to an Online Service under the terms of the OST [Microsoft Volume Licensing Online Services Terms], the data processing and security terms are defined in Microsoft Online Services Data Protection Addendum (DPA). The DPA is an addendum to the OST.”
Wikipedia defines the term “volume licensing” thus: “In software licensing, a volume licensing is the practice of selling a license authorizing one computer program to be used on a large number of computers or by a large number of users. Customers of such licensing schemes are typically business, governmental or educational institutions.” Therefore Microsoft’s DPA probably does not apply to private individuals using free versions of Microsoft Teams. It does, however, apply to the target audience of the Berlin commissioner’s memorandum.
In its press release, Microsoft furthermore stated that “to the extent that customer data and personal data are transferred to, or stored or processed in, the US or any other country in which Microsoft provides services, either itself or via any of its sub-processors, Microsoft always uses suitable guarantees that are recognised by data protection law (Soweit Kundendaten und personenbezogenen Daten in die USA oder in ein anderes Land, in dem Microsoft oder ihre Unterauftragsverarbeiter tätig sind, übermittelt und dort gespeichert bzw. verarbeitet werden, werden stets geeignete und vom Datenschutzrecht anerkannte Garantien eingesetzt). The German adjectives “geeignet” (suitable) and “anerkannt” (recognised) do not have a well-defined legal meaning when it comes to guarantees, however. The phrase sounds rather vague in German.
The EU’s standard contractual clauses (2010/87/EU)
With regard to the actual guarantees provided, Microsoft explained that “for this purpose it uses the standard contractual clauses (2010/87/EU) enacted by the European Commission, which are set out in Attachment 2 of the DPA” (Microsoft nutzt hierzu die von der EU Kommission erlassenen EU Standardvertragsklauseln (2010/87/EU); diese finden Sie in Anlage 2 zum DPA). This statement can be easily verified.
The standard contractual clauses are part of the Microsoft Online Services Data Protection Addendum (DPA) of January 2020. In the completed form that Microsoft executed as Attachment 2 of the DPA of January 2020 (more specifically as Appendix 1 to the Standard Contractual Clauses), the company stipulates the following: “Data exporter: Customer is the data exporter”, and: “Data importer: The data importer is MICROSOFT CORPORATION”.
Recital 23 of 2010/87/EU clarifies, however, that the Standard Contractual Clauses apply “only to subcontracting by a data processor established in a third country of his processing services to a sub-processor established in a third country” (finden nur Anwendung, wenn ein in einem Drittland niedergelassener Datenverarbeiter einen in einem Drittland niedergelassenen Unterauftragsverarbeiter mit seinen Verarbeitungsdiensten beauftragt) (Microsoft also uses the term “Unterauftragsverarbeiter” [sub-processor] in its press release of 6 May 2020; see above). Commission Decision 2010/87/EU does not guarantee the way the (principal) processor, who is the “data importer”, uses the data. The processor, and data importer, in this case is Microsoft.
No guarantee of non-disclosure to US law enforcement authorities
It would seem difficult to state that Attachment 2 of the Microsoft DPA of January 2020 invalidates the Berlin commissioner’s claim that there is no guarantee that the actual provider of the service (the processor, i.e. Microsoft, domiciled in Redmond, USA) will comply with European law rather than with the law of its country of establishment (the United States), since Commission Decision 2010/87/EU is really only meant to regulate the relationship between the “data importer” (Microsoft) and any of its sub-processors outside the EU or EEA with regard to tort and liability.
Preventing the disclosure of personal data, like medical data or data on political views, is not within the scope of application of 2010/87/EU. After all, Clause 5(d) of the Standard Contractual Clauses (also contained in Attachment 2 of the Microsoft DPA) stipulates: “The data importer [this is Microsoft; E.V.] agrees and warrants: (d) that it will promptly notify the data exporter [e.g. a company or public authority in Berlin; E.V.] about: (i) any legally binding request for disclosure of the personal data by a law enforcement authority unless otherwise prohibited, such as a prohibition under criminal law to preserve the confidentiality of a law enforcement investigation.”
Being informed about the unpreventable disclosure of one’s personal data (and sometimes not even being informed, because this is “otherwise prohibited” under a third country’s law) is obviously not the same as such disclosure being physically (or perhaps one should say legally) impossible due to the data not being in the jurisdiction in question. It would seem that Commissioner Maja Smoltczyk was talking about this very issue when she said that “the provider of the videoconferencing system might make a recording of the call or the conference, be it for his own purposes or because a public authority requires him to do so” (der Betreiber des Videokonferenzsystems selbst kann ein Interesse haben oder behördlich dazu verpflichtet sein, einen Mitschnitt anzufertigen).
The fact that the Microsoft press release used the German verb “etwas vorsehen” (which could be translated as “to provide something by design” or “to be designed for some purpose”) might also not be entirely coincidental. Software products that do not provide a certain feature, e.g. wire tapping, “by design” (sehen keine Abhörmöglichkeiten vor), might easily be programmed to provide such a feature, even if this was not in the interest of the original provider of the software or the service, and was not intended. A provider might simply be legally required to alter the software to provide a certain (new) feature.
Microsoft did not press its case, and in June 2020 the Memorandum could still be accessed in its revised version of 22 May 2020 (version 1.1, quoted in this article). There were no further reports in the media of legal action or any other communications between the two parties involved. The issue whether institutions, public authorities and companies are always safe from a data-protection perspective to use videoconferencing systems that are not based in the EU or EEA therefore remains largely unresolved. The fact remains, however, that the way privacy policies are provided and handled does not greatly help to clarify the issue. It seems that no one is too sure about the specific legal and technical framework that regulates data protection in videoconferencing services. This can also be seen in the way the German language was used in the press release cited at length in this article.
Please note: in order to improve readability of this article, when quoting from German texts in the original German, I have often shortened phrases or adapted them to the present English-language text without indicating such changes. If in doubt, please refer to the original sources provided as links.