There is hardly a topic in the area of data protection that is discussed as intensively as the use of large US providers such as Microsoft or Google under data protection law.

This is mainly due to the fact that these providers (like many others) are based in the USA. In 2016, the EU Commission certified an adequate level of protection for personal data in the USA via the Privacy Shield Agreement. However, this agreement was declared invalid by the European Court of Justice in 2020. Although this did not prohibit the lawful use of US service providers, it did make it more difficult.

Since 10 July 2023, there has been a new adequacy decision in the form of the EU-US Data Privacy Framework, which simplifies the transfer of data to the USA from a data protection perspective. Nevertheless, the topic of Microsoft and Google continues to be hotly debated. 

What exactly is criticised?

One point of criticism levelled at these providers is the lack of transparency regarding the actual processing of personal data. Some companies process the data not only for the purpose of the actual service, but also analyse personal data for advertising purposes or to optimise their services. Although neither of these is prohibited, the data subjects must be fully informed. This is the point of criticism: companies are accused of not providing transparent and comprehensive information about all processing. Organisations that use these services are therefore also unable to adequately inform data subjects about data processing.

Take Microsoft, for example: When using Microsoft 365, a large amount of personal data is collected. On the one hand, Microsoft does not provide a complete list of exactly what data is collected and there is also only incomplete information about the purposes of processing. Some data protection experts also believe that the extensive and complex administration options of Microsoft 365 make it almost impossible to configure the service in accordance with data protection law.

The recommendation is therefore often to use solutions from providers that do not have these open questions and uncertainties. We will introduce some of them in the second part of this course.