Some customers ask us for explanations on the relationship between Office 365 cloud services and G-suite (now Workspace) and the GDPR (General Data Protection Regulation) that is the European data protection legislation that serves to protect the privacy of European citizens.

This article is intended to shed some light on the subject without going into too much technical detail, but still providing some links to institutional sites for those who wish to explore further.

Is Microsoft 365 GDPR compliant?

Office 365 and Google Workspace are cloud services (saas) operated by US corporations. These store data in their own data centers, which can be located in either the U.S. or Europe.

Some people might think that it is enough for the data to be in EU to be GDPR compliant, but it is actually not that simple. The GDPR, in fact, includes restrictions on the transfer of data by U.S. corporations to other countries (also read this article). This is done on the basis of bilateral agreements between the U.S. and EU that are currently incomplete.

Indeed, the European court has invalidated, in Schrems II, the agreement between the United States and the European Union, called the Privacy Shield. This regulated precisely the transfer of data from EU to the U.S. and replaced the previous agreement, called Safe Harbour.

This is because the EU believes that the data of European citizens is being abused and processed illegally, not only by American corporations, but also by various government agencies.

We attach a link to the recently updated European community site that goes into detail on the topic.

The following paragraph can be extracted from the article:

“There are the usual attempts to downplay the issue, to legitimize the use of standard contractual clauses, and generally to ignore the fact that as of 7/16/2020 it has been confirmed that for many years data transfers and processing by U.S. entities have been carried out illegally.”

Specifically. EU finds that Microsoft systematically uses data illegally beyond its constant declarations that it respects the privacy of European citizens.

In addition, Trump has enacted the Cloud Act, which strengthens the power of U.S. government agencies (e.g., NSA) to be able to use U.S. corporations’ data for national interests thus moving further away from the European GDPR.

What could be the solution?

We are therefore facing a tug-of-war that sees no real solution. Other countries such as China and Russia have effectively banned the use of U.S. cloud platforms and have set up their own infrastructures; now we are beginning to talk about “digital colonialism” in Italy as well.

Attached here is a link to the Italian government’s digital agenda.

While reselling Microsoft Office 365 and Google Workspace solutions, Utixo also offers a proprietary mail management infrastructure. This is similar to Office 365 and uses the same technologies(Hosted Exchange) but under our control, so it is GDPR compliant.