Some customers ask us for explanations about Office 365 cloud services and Gsuite (now Workspace) as regards the GDPR, that is the European data protection legislation that serves to protect the privacy of European citizens.
This article wants to shed some light on the subject without going into too much technical details but by providing some common links to institutional sites for those wishing to learn more.
Office 365 and Google Workspace are cloud services (saas) managed by US corporations that store your data in their data centers which can be in the US or in Europe.
Some might think that it is enough that the data is in the EU to be GDPR compliant but in reality it is not that simple because the GDPR provides for limitations in the transfer of data by US corporations to other countries on the basis of bilateral agreements between the US and the EU that they are currently incomplete.
The European court has in fact invalidated with the Schrems II judgment the agreement between the United States and the European Union called Privacy Shield which regulated the transfer of data from the EU to the USA and which replaced the previous agreement called “safe harbor”.
This is because the EU believes that the data of European citizens are being abused and illegally processed not only by American corporations but also by various government agencies.
I am attaching a link to the recently updated European community site which goes into detail on the subject.
from which the following paragraph can be extracted:
“There are the usual attempts to minimize the issue, to legitimize the use of standard contractual clauses and, in general, to ignore the fact that since 07/16/2020 it has been confirmed that for many years the transfers and processing of data from US entities was made illegally. ”
Specifically, the EU notes that Microsoft systematically uses data illegally beyond the continuous statements to respect the privacy of European citizens.
In addition, Trump has enacted the Cloud Act which strengthens the power of US government agencies (eg NSA) to be able to use American corporate data for national interests thus moving further away from the European GDPR.
We are therefore faced with a real tug-of-war that sees no solution, other countries such as China and Russia have actually banned the use of US cloud platforms and have equipped themselves with their own infrastructures and we are beginning to talk about “digital colonialism ” Also in Italy.
I am attaching a link to the digital agenda of the Italian government.
Utixo while reselling Microsoft Office 365 and Google Workspace solutions in fact also offers a proprietary infrastructure for managing mail similar to Office 365 using the same technologies (Hosted Exchange) but under its own control therefore GDPR compliant.
We remain at your disposal for further information on the subject.