Comment: Review of “Microsoft online services”

of November 7, 2023Data Residency0 comments

A working group of the Data Protection Conference (AG DSK) comes to the conclusion in an evaluation of “Microsoft online services” (PDF), that encryption of the processed data is regularly not possible, for example if data has to be displayed in the browser. As a provider of a solution for the encryption of personal or sensitive data, e3 is asked to briefly comment on this assessment.

Most of the business activities of a data processing provider require access to personal data. Contrary to popular belief, it is generally not necessary for the provider to require unencrypted, non-pseudonymized data. Data processing can also take place in an encrypted state. Even without being able to read the data in plain text, the provider can fulfill the vast majority of contractual performance obligations.

“Bring Your Own Encryption”

Whether encryption brings real added value for data protection then depends on three factors: firstly, who holds the key (user or provider), secondly, which encryption mechanism is used and thirdly, where (at the user or provider) the encryption takes place. This always also applies to decryption, i.e. converting the encrypted content into plain text. If only one of these aspects occurs under the control of the provider without data protection equivalence with the GDPR, encryption primarily entails additional effort and hardly any benefit, i.e. the desired or required data protection. Many providers pay dearly for measures in this regard - often with little additional benefit (e.g. greater compliance with the law). Ultimately, however, they maintain control over individual or multiple components of the encryption.

The solution to this problem is summarized under the term “Bring Your Own Encryption” or BYOE for short. The solution means that encryption and data processing must not be carried out by the same provider, ideally not on the same platform and, if possible, within the national borders (of course also within the EU) of the data owner.

The crux of the matter is that data processing providers today have little interest in supporting such BYOE solutions. You would have to offer appropriate interfaces and ensure that the processing of encrypted data still works. The additional effort required prevents many providers from doing so. We at e3 believe: From the perspective of information and data protection in particular and considering the worsening geopolitical situation in general, this is incomprehensible.

Data protection today and tomorrow

BYOE solutions are new, but surprisingly effective – and if the provider “joins in” they can be implemented without any functional losses. BYOE solutions increase provider costs by around 10 to 20 percent, but offer the advantages that not only can the various data protection regulations of many countries be met (at the same time), but that future changes can also be responded to easily and flexibly. Given the potential risks in this area, a BYOE solution is a favorable safeguard against cybercrime and violations of privacy regulations. The costs resulting from successful cyber attacks or correcting non-compliant incidents are many times higher.

Read below more about what is possible with a BYOE solution. Take part in one of our webinars or book a non-binding consultation appointment. With Centraya you can solve your challenges in the area of ​​data and information protection in a future-oriented way. We support you in managing your data locally and globally, securely encrypted and compliant.

Would you like more information on the topic?

Register yourself

Find out more about trends. After registering, fact sheets and other specialist articles are available for download on our Trend Sites.

Contact us. We are happy to help

Our experts will be happy to answer your questions about this trend topic.