Baden-Württemberg: LfDI issues statement on Microsoft's user right strengthening after Schrems II case
The Baden-Württemberg data protection authority ('LfDI Baden-Württemberg') issued, on 20 November 2020, a statement on Microsoft Corporation's suggested measures for guarantees that directly strengthen user rights following the Court of Justice of the European Union's ('CJEU') judgment in Data Protection Commissioner v. Facebook Ireland Limited, Maximillian Schrems (C-311/18) ('the Schrems II Case') with Microsoft issuing a statement on the same. The LfDI Baden-Württemberg noted that Microsoft's suggested measures will now be evaluated by all decision makers, including in the forthcoming deliberations of the Data Protection Conference ('DSK') and that the LfDI Baden-Württemberg, the Data Protection Authority of Bavaria for the Private Sector ('BayLDA'), and the Hessen data protection authority ('HBDI') will evaluate these changes by Microsoft.
In particular, the LfDI Baden-Württemberg noted that international data transfers from Europe to the USA are only possible to a very limited extent after the Schrems II Case, although numerous US providers are key players in global data processing. One reason for this, the LfDI Baden-Württemberg opined, is the excessive mass surveillance by US security authorities, such as the National Security Agency ('NSA'), which is why data from Europeans may only be transmitted to the US under additional protective measures, and the LfDI Baden-Württemberg highlighted that the European Data Protection Board issued initial recommendations for action on the design of protective measures for public consultation.
Furthermore, the LfDI Baden-Württemberg outlined that, in the suggestions, Microsoft's new Standard Contractual Clauses ('SCCs') contain provisions on:
- the right to compensation for a data subject whose data has been processed unlawfully and who has suffered material or immaterial damage as a result;
- informing the data subject if Microsoft has been legally obliged by a government order to release data to US security authorities; and
- Microsoft's obligation to take legal action and go to the US courts to challenge the government's order to release the data.
However, the LfDI Baden-Württemberg stated that, according to the joint assessment of the data protection supervisory authorities involved, this does not generally solve the transfer problem to the USA because an addition to the SCCs could not lead to the US secret services' access to the data being prevented.
Microsoft noted that it is committed to challenging every government request for public sector or enterprise customer data where there is a lawful basis for doing so. In addition, Microsoft further stated that it will provide monetary compensation to these customers if they disclose their data in response to a government request in violation of the General Data Protection Regulation (Regulation (EU) 2016/679) ('GDPR').
Finally, the LfDI Baden-Württemberg highlighted that before the end of the year, the DSK will continue its talks with Microsoft on the Office software package.