[German]Microsoft Germany has send a cease and desist to Berlin's Commissioner for Data Protection and Freedom of Information. An action that leaves many observers somewhat speechless. The warning concerns guidelines for video conferencing, which provide information on test criteria for the safe use (also GDPR) of videoconferencing in companies and public authorities.
Advertising
Some Background information
In the light of increased use of video conferences during coronavirus-related social distancing, Berlin's Commissioner for Data Protection and Freedom of Information published in April 2020 checklists for the implementation of video conferences. In the two-page "Checklist for the use of video conferences during contact restrictions", which has since been deleted but can still be found in the Google cache, Berlin's data protection authority warns against the use of widely used programs that may not meet certain data protection and security requirements.
I have the document available as a PDF version. The information is in a rather general manner and gives recommendations on what companies and authorities should consider when using video conferencing software. For example, it points out that the use of videoconferencing services by operators based outside the EU is legally problematic. Data protectionists consider it ideal if companies host the videoconferencing software themselves. If this is not possible, the recommendation is to switch to European providers. Providers based outside the EU, e.g. in the USA, are mentioned as problematic. Here users should pay attention to whether the service provider is legally resident in the EU – and warn against constructions where subsidiaries are only resellers of the services of US companies. The user, however, remains stuck with the legal risks despite having a European contact person.
In the course of the document, Microsoft Corporation and its services Skype and Teams were mentioned as examples of possible risks – but without elaborating further. It read to me like 'take a closer look when you use this' – but the decision was left to the privacy officer of the respective authority or company.
Microsoft's cease and desist letter
Up to this point everything is still clear. A data protection authority will draw up a guide and give guidance to users on what to look out for security and data protection requirement. If a company sees itself misrepresented, I think the approach would be to publish a statement for the press and approach the data protection authority concerned to clarify things.
But Microsoft has chosen a different, more conflict-prone and, in my view, critical path. The chief lawyer of Microsoft Germany accuses the Berlin Commissioner for Data Protection and Freedom of Information that the "assumptions are factually or legally incorrect". The Microsoft chief legal counsel sees the criticism as related to the company and its products Teams and Skype (just a note: the data protectors only specify test criteria, there is no request not to use Teams or Skype – that is decided by the data protection officer of the respective user company).
Advertising
From this point on, it gets difficult now. The data protectors write that "video conferences carry the risk of being overheard and recorded without authorization, even on behalf of third parties", which is not wrong in principle. At some point in later paragraphs, Microsoft Teams and Skype are mentioned as examples where legal risks might lurk. Since the risks are generally referred to in the previous text, it is unclear to me which risks are meant specifically.
Whatever the case, Microsoft's lawyers have allegedly send a cease and desist letter to the Berlin Commissioner for Data Protection and Freedom of Information, according to t-online.de, about these videoconferencing guidelines with the alleged warnings about Microsoft products. According to the editors, the authority is requested in the letter available to t-online.de to "remove and withdraw incorrect statements as quickly as technically possible". Microsoft considers its reputation to be considerable and that it is suffering commercial damage. According to t-online, the letter does not contain any financial claims.
Note: I am not sure whether t-online.de has presented the facts of the cease and desist letter in a legally correct way or whether the Microsoft in-house lawyers have messed it up. To my knowledge – I am not a lawyer – we can't send a cease and desist letter to German authorities. Microsoft could go to an administrative court and file an official liability suit. However, I have not read anything about this. At the very least, one should at this point put a slight question mark in relation to the source t-online for the facts presented here.
The editors of t-online.de, who have documented the case here, wrote that, according to the information provided, 'the Berlin case' is also being discussed by other data protection authorities. According to t-online.de, at least some state data protection officers would like to see Berlin's top data protection officer Maja Smoltczyk not give in to Microsoft. T-Online writes that the case would also become explosive, because the author of one of the two papers is an expert of the German Association of Chambers of Industry and Commerce.
German pen tester Mike Kuketz has taken up the case here and addressed some 'explosive points' in the matter of data protection. According to him, Berlin's data protection watchdog would have been more than right to mention Skype for Business and Microsoft Teams as probably critical in the light of security and privacy. But the German watchdows never did so explicitly. The check lists was simply provided as a reference for data protection officers in companies and authorities when they 'evaluate' the DSGVO conformity of various products and service providers.
The Berlin Commissioner for Data Protection and Freedom of Information has reacted in that the test criteria have since been removed from the websites. The guidelines of the Berlin Commissioner for Data Protection and Freedom of Information, which have since been removed, bear the date 30 April 2020 in the version available to me, but German magazine heise says that the document was drawn up at the beginning of April 2020. At that time, Microsoft had just revised its data protection conditions for teams (after criticism from data protectionists).
All in all, I remain stunned at this point, even if I cannot judge the whole thing legally. For me, it seems that the US company is taking out the legal cudgel to sweep general, but unpopular, video conferencing guides from the web using the instrument of a cease and desist. In other words, this could affect every blog and website on any topic in a similar way.
The only thing that remains here is to rely on a Streisand effect. And it is to be hoped that the German data protection watchdogs will fight the matter out and at the end of the day draw a clear guideline not to use software and services not conform to GDPR. For me, I have drawn a conclusion as to how I will deal with products of a certain company in the future within my blog.
Advertising