from Hacker News

German privacy watchdogs conclude that Microsoft 365 is incompatible with GDPR

by Quanttek on 11/26/22, 11:27 AM with 328 comments

  • by pieter_mj on 11/26/22, 11:56 AM

  • by lgreiv on 11/26/22, 1:12 PM

    My personal favorite outcome of this would be a joint public and corporate funded leap in open source development. This would do much for the budget, privacy and probably also security of businesses and private users. A good example where this principle is already in use is the Matrix protocol.

  • by throwaway294566 on 11/26/22, 12:13 PM

    Problem as always is, it's all talk and (almost) zero enforcement in Germany.

    Complaints to a data protection official take forever, are usually dismissed at first, even if counter to published opinions or decisions such as TFA. And only if you still care after a few years of waiting and at least one appeal you might get a decision, however usually a very cheap one for the perpetrator.

  • by rcarr on 11/26/22, 2:45 PM

    Tech will end up exactly the same way finance is (if it isn’t already there). Employees will work for the regulatory enforcement agency for around five years on shit pay learning how the system works from the inside and making contacts in the industry before leaving and being ushered into a tech firm with a nice six figure salary. Meanwhile, no regulations will really get enforced apart from the odd token case against a big company so the agency can continue to justify its existence and funding. The fine against the big company will be a complete drop in the ocean and will have already been accounted for well in advance by said company as a natural cost of doing business. No-one will go to prison for any wrong doing unless it’s a fraud case where someone’s tried to cheat the company and the regulators for their own individual gain in which case there’ll be made an example of to ensure all the other players stay in line and don’t rock the apple cart. Repeat until the end of the time.

    Any attempts to appoint new leadership to reform the existing corrupt agencies will most likely end up being sabotaged from within by bureaucrats who gain from the system remaining dysfunctional. The only two ways you can effectively change it are:

    - setting up complete new ‘start up’ agencies and appointing people to wind down and distract the power players in the existing ones.

    - going full nuclear like Elon just did at Twitter and firing the majority of the workforce

  • by Lurkars on 11/26/22, 2:01 PM

  • by jonas-w on 11/26/22, 2:28 PM

    I use onlyoffice[0] because MS Office doesn't run on Linux. It is open source and seems to have the best compatibility with MS Office. You can self host it and/or use it locally. It also integrates with e.g. nextcloud or seafile.

    Some features are missing yes, but the usability (IMO) is better than Libre-/OpenOffice.

    I don't know how good the collaboration is but they seem to advertise for it.

    [0] https://www.onlyoffice.com/

  • by calculated on 11/26/22, 1:58 PM

    For the businesses who might want to switch to an alternative.

    A great one is Cryptpad: https://github.com/xwiki-labs/cryptpad

    There are hosted instances also if you're not interested in self hosting.

    P.S. I'm not affiliated in any way with the project.

  • by firefoxkekw on 11/26/22, 1:19 PM

    365 is the cloud base suite of Microsoft Office, you can still use the Microsoft Office 2021 Professional or older versions.

    365 is a nice way of collaborate at work, if you are a small business is a nice product, for the big companies this is just going to be more headache for their I.T department, so now instead of relying in the Microsoft servers to allocate and store the documents, they will use any other server from who knows what company and hosted who knows where, some will be hosted with e2ee including at rest while others will end up using some shit show of servers from a company owned by some dude from not so friendly countries.

    I understand that privacy for companies is a big risk, but regulating it this way can easily end with a cobra effect.

  • by ekianjo on 11/26/22, 2:31 PM

    Next is Windows 11 with its always log-on requirements.

  • by pluc on 11/26/22, 1:41 PM

    Is it me or does Germany switches (back?) to open-source every few years? I remember being excited they were switching to Linux (or was it Munich?) years ago

  • by sendfoods on 11/26/22, 12:07 PM

    At this points, isn't it pretty safe to assume very few Silicon Valley services conform to GDPR?

    Another example was shared recently: Shopify is technically illegal in Germany [1]

    [1] https://news.ycombinator.com/item?id=33561222

  • by smeej on 11/26/22, 1:58 PM

    I'm not European, and maybe this is why I struggle to understand this, but why do people want regulators to say, "This doesn't comply with our regulations, so you aren't allowed to use it?"

    I understand the hope is that companies will comply rather than forego the entire European market, but if they don't, the last consequence is ultimately on the consumer, not the company.

    It seems like the same type of thing as when Quebec recently decided any service that serves customers in Quebec must offer a French version of all their services. Quebec is a much smaller market than Europe, so the effect was that companies just stopped offering services to people in Quebec, but it seems like these are the same kind of issue.

    Government wants services to be provided in a certain way. Service provider declines. Consequences disproportionately impact the consumer, not the service provider.

    Why should it be up to a governmental agency to tell you you are not permitted to use a service because they think the service is being provided in a way they don't like?

  • by grammers on 11/26/22, 4:36 PM

    This is not surprising as Austria, France and Denmark have already concluded the same.

  • by nathias on 11/26/22, 1:09 PM

    finally, this is really great news for anyone european, I hope it won't take long to determine there are a whole lot of other MS products that should also be illegal

  • by throwaway4good on 11/26/22, 1:42 PM

    Microsoft just needs to place data from EU customers on EU soil and in a manner that is inaccessible to US authorities.

    Why is this so hard?

  • by ganesh7 on 11/26/22, 3:57 PM

    It should be possible to put these bureaucrats into place. After all Germany is just another client state.

  • by lizardactivist on 11/26/22, 3:48 PM

    Good. The sooner this data-siphon is cut off from the EU the better.

  • by dhdgrygev on 11/26/22, 12:52 PM

    These people keep acting like they're so clever for figuring this out, yet in reality all they're doing is giving death sentences to European companies by making them unable to use industry standard products.

  • by f_devd on 11/26/22, 1:39 PM

    I'm not sure why there is such a doomer sentiment (mostly from the US community but also some EU) about stepping away from Office 365. There are already existing replacements which do comply with GDPR for all of their service (modulo any vendor lock that I can't think of right now). The ruling is mainly for Gvt and Edu sectors since those handle PII regularly through these services, so the main challenge will be packaging the currently relatively fragmented market in such a way that these sectors can migrate and adopt easily, which if done right is a single-time investment from the EU.

  • by th3h4mm3r on 11/26/22, 2:27 PM

    Okay. And now?

  • by funstuff007 on 11/26/22, 1:29 PM

    I would argue it's basically impossible to have an internet connected app that does not run afoul of GDPR in one way or another. It's really just a question of how much of GDPR can you comply with at a reasonable cost or a better strategy is to do your best to comply with the spirit of GDPR, if not the letter.

  • by SpaceManNabs on 11/26/22, 3:27 PM

    Aren't CDNs against GDPR in some cases? Seems like an overly broad regulation that is enforced by often dismissed in judgement. Changing nothing, adding headache, and preventing meaningful regulation from taking its place...

    And when you request data from companies, you don't even get what you want a lot of the time because it is often aggregated.

  • by bayesian_horse on 11/26/22, 12:06 PM

    This will have absolutely zero impact.

    Everybody knows you must use Microsoft products and if those don't comply with regulations, the regulations will have to change...

  • by dontbenebby on 11/26/22, 1:32 PM

    I don't really understand the GDPR, maybe because I'm not a lawyer.

    For example, the GDPR states:

    >An establishment's failure to designate an EU Representative is considered ignorance of the regulation and relevant obligations, which itself is a violation of the GDPR subject to fines of up to €10 million or up to 2% of the annual worldwide turnover of the preceding financial year in case of an enterprise, whichever is greater. The intentional or negligent (willful blindness) character of the infringement (failure to designate an EU Representative) may rather constitute aggravating factors.... Businesses must report data breaches to national supervisory authorities within 72 hours if they have an adverse effect on user privacy. In some cases, violators of the GDPR may be fined up to €20 million or up to 4% of the annual worldwide turnover of the preceding financial year in case of an enterprise, whichever is greater...

    Why have neither of these been done? Speaking as an American who has spent his entire adult life advocating on these issues, it personally offends me when I basically get myself punted out of so called civil society trying to get a law like this enacted, and then our so called "allies" across the pond refuse to utilize it.

    Here in "The States", folks used to joke "I'll believe corporations are people when they execute one in Texas"... given the EU's views on the death penalty, maybe some of these companies should be given what the Chinese would call "death with a suspended sentence"[1] -- fine them the full two to four percent, and use that money to fund things like universal health care, pensions, and the rebuilding of critical infrastructure instead of... well, based on my last trip to Tim Hortons[2], it looks like the new hotness is building a buncha condos that sit empty and drive up the rents -- but it's been a while, so I'll let any Canadians who want to wander in below and give their thoughts the floor.

    The above is what I like to call "venture socialism". It is not communism, it is not even really socialism, more just... republicanism. But I can understand why even that feels violent and oppressive to... some people.

    [1] https://en.wikipedia.org/wiki/Death_sentence_with_reprieve [2] Fun fact: for many Americans, the cost of a passport, let alone an international vacation is out of bounds -- once you understand this, a lot of the past four to forty years begins to make sense.