Microsoft responds to EDPB’s guidance with additional safeguards - LfDI finds them deficient

Microsoft issued a statement on 19 November 2020 announcing to be the first company to respond to European Data Protection Board’s (“EDPB”) recent guidance regarding the international personal data transfers post Schrems II era. According to the German data protection authority from Baden-Württemberg (“LfDI”), Microsoft’s commitments are not sufficient as they do not solve the underlying problem, US intelligence authorities accessing the personal data.




The lawfulness of the International personal data transfers, especially to the United States, have been highly questionable after the recent ruling from the Court of Justice of the European Union (“CJEU”) in case C-311/18 (known as the “Schrems II” case). The CJEU declared Privacy Shield, one of the transfer mechanisms to lawfully transfer personal data to the US, as invalid, following a review of US surveillance laws. While the CJEU held that other transfer mechanism such as the EU Commission’s standard contractual clauses (“SCC’s”) remains a valid transfer mechanism, it underlined the fact that organisations relying on them have an obligation to assess, prior to any transfer, whether there is in fact an “adequate” level of data protection in the importing jurisdiction. This obligation has raised great uncertainty, as the SCC’s are not capable of binding the US intelligence authorities since they are not parties to the SCC’s.


On November 11 2020, the EDPB issued its highly waited guidance on how to carry out international personal data transfers after the Schrems II ruling. Relying solely on the SCC’s is not likely to be sufficient to satisfy the obligation to ensure that personal data enjoys ‘equivalent protection’ after it has been transferred to a third country. To fix this problem, organisations are now expected to implement ‘supplementary measures’ on top of the SCC’s and other transfer mechanisms to e.g. prevent US intelligence authorities accessing personal data.


Microsoft steps in with ‘supplementary measures’


In its announcement, Microsoft commits that it will challenge every government request for public sector or enterprise customer data - from any government - where there is a lawful basis for doing so, saying such commitment goes beyond the proposed recommendations by the EDPB.


Secondly, Microsoft promises to provide monetary compensation to the data subjects, if Microsoft discloses their personal data in response to a government request in violation of the EU’s General Data Protection Regulation (“GDPR”).


LfDI issues a statement finding Microsoft’s commitments insufficient


On November 20 2020, the LfDI issued a statement according to which the additional commitments provided by Microsoft are not sufficient as they do not provide a solution to the underlying problem, preventing the US authorities from accessing the personal data.


However, the LfDI noted that Microsoft is moving to the right direction and has implemented significant improvements in its contracts. The LfDI will continue discussions with Microsoft together with the other Independent Federal and State Data Protection Supervisory Authorities of Germany (“DSK”)