Legal use of Microsoft 365? Current status and outlook
Microsoft 365 has become an integral part of the modern working world. At the same time, the use of cloud services in compliance with data protection regulations has been a challenge in Europe for years. Data protection authorities repeatedly voice criticism, particularly with regard to (possible) data transfers to the US. What is the current situation, and what does this mean for companies?
Starting point
The fundamental challenge in using Microsoft 365 lies in the transfer of personal data to so-called third countries outside the European Economic Area (EEA). Particular attention is paid to the US, where the CLOUD Act and the Patriot Act are laws that allow US authorities to access stored data under certain circumstances – even if it is physically located in the EU.
The original adequacy decision (Privacy Shield) was declared invalid by the European Court of Justice in its Schrems II ruling in July 2020. Although a new data protection agreement (EU-U.S. Data Privacy Framework) was adopted in July 2023, critics describe it as "suspended in limbo." A renewed judicial review is considered likely.
Microsoft's official version
Microsoft has responded to the data protection concerns and implemented various measures:
- Certification under the EU-U.S. Data Privacy Framework: Microsoft is officially listed as a compliant provider. The framework forms the basis for the transfer of personal data to the US in compliance with data protection regulations – provided that its legal validity remains confirmed.
- Microsoft EU Data Boundary: In the spring, Microsoft announced that the Data Boundary, which was introduced in stages, has now been fully implemented. Data from European customers (such as emails, files, or chat histories) is now processed and stored exclusively within the EU.
- Standard Contractual Clauses (SCCs): For data transfers outside the EEA, Microsoft uses the standard contractual clauses specified by the EU Commission, supplemented by additional technical and organizational measures.
Reservations regarding data protection practices
Despite the measures mentioned above, data protection concerns remain:
- The EU Data Boundary does not cover all data categories – in particular, so-called diagnostic data, which is collected for product improvement and telemetry purposes.
- The transparency regarding which data is processed for what purpose is insufficient in some cases. Many of the protective measures used rely on the cooperation and configuration of the customers themselves, which can lead to uncertainties in practice.
- Access rights by US authorities remain in place: The CLOUD Act and Patriot Act allow US authorities to access data physically located in the EU under certain conditions. At a hearing before the French Senate in June 2025, the Chief Legal Officer of Microsoft France admitted that it cannot be ruled out that EU data will be transferred to US authorities – even without the consent of EU authorities.
A glimmer of hope: assessment by supervisory authorities
However, there was a notable step forward from the European side in July 2025:
The European Data Protection Supervisor (EDPS) had been investigating the EU Commission's use of Microsoft 365 since May 2021 due to data protection concerns. On July 11, 2025, the corresponding enforcement proceedings were discontinued. According to the EDPS, the Commission has now implemented measures that meet data protection requirements, particularly with regard to purpose limitation and data transfers to third countries.
This assessment provides some guidance for companies: Microsoft 365 can be used in compliance with data protection regulations, provided that appropriate protective measures are taken. However, this is not a blanket approval; individual reviews and adjustments remain necessary.
Conclusion
Microsoft 365 can be operated in compliance with data protection regulations under certain conditions. However, this requires contractual, technical, and organizational measures—as well as a keen eye on future developments in legislation and case law. Companies should therefore regularly check whether their use of M365 still meets the current requirements. In addition, the use of M365 must always be critically examined from the perspective of digital sovereignty.
We are happy to support you with data protection consulting and auditing for the legally compliant use of Microsoft 365 in your company. Reduce data protection risks, meet regulatory requirements, and demonstrate responsibility to your employees, business partners, and data protection authorities.
Author: Anne Pinke