Comment: Evaluation of "Microsoft online services"

by Nov 7, 2023Data residency

A working group of the Data Protection Conference (AG DSK) comes to the conclusion in an evaluation of "Microsoft online services" (PDF) that the encryption of the processed data is regularly not possible, for example when data has to be displayed in the browser. As a provider of a solution for the encryption of personal or sensitive data, e3 feels compelled to comment briefly on this assessment.

Most of the business activities of a data processing provider require access to personal data. Contrary to popular belief, however, it is generally not necessary for the provider to require unencrypted, non-pseudonymized data for this purpose. Data can also be processed in encrypted form. Even without being able to read the data in plain text, the provider can fulfill the vast majority of contractual performance obligations.

"Bring Your Own Encryption"

Whether encryption provides real added value for data protection then depends on three factors: Firstly, who holds the key (user or provider), secondly, which encryption mechanism is used and thirdly, where (at the user or provider) the encryption takes place. This also always applies to decryption, i.e. the conversion of the encrypted content into plain text. If only one of these aspects is carried out under the control of the provider without data protection equivalence with the GDPR, encryption primarily entails additional costs and hardly any benefits, i.e. the desired or required data protection. Many providers pay dearly for measures in this regard - often with little additional benefit (e.g. greater compliance with the law). Ultimately, however, they retain control over individual or several encryption components.

The solution to this problem is summarized under the term "Bring Your Own Encryption" or BYOE for short. The solution means that encryption and data processing do not have to be carried out by the same provider, ideally not on the same platform and, if possible, within the national borders (also within the EU, of course) of the data owner.

The crux of the matter is that data processing providers currently have little interest in supporting such BYOE solutions. They would have to offer appropriate interfaces and ensure that the processing of encrypted data still works. The additional effort required prevents many providers from doing so. We at e3 think so: From the point of view of information and data protection in particular, and bearing in mind the worsening geopolitical situation in general, this is incomprehensible.

Data protection today and tomorrow

BYOE solutions may be new, but they are surprisingly effective - and can be implemented without any functional losses if the provider "goes along". BYOE solutions increase provider costs by around 10 to 20 percent, but offer the advantage that not only can the most diverse data protection regulations of many countries be fulfilled (simultaneously), but that it is also possible to react easily and flexibly to future changes. In view of the potential risks in this area, a BYOE solution is a favorable safeguard against cybercrime and breaches of privacy regulations. This is because the costs of successful cyber attacks or correcting non-compliant incidents are many times higher.

Read under Find out more about what is possible with a BYOE solution. Take part in one of our webinars or book a non-binding consultation appointment. With Centraya, you can solve your data and information protection challenges in a future-oriented way. We support you in managing your data locally and globally, securely encrypted and compliant.

Would you like more information on this topic?

Register yourself

Find out more about trends. After registering, you can download factsheets and other specialist articles from our Trend Sites.

Please contact us. We will be happy to advise you

Our experts will be happy to answer any questions you may have on this trend topic.