Back to Blog

I tricked Bing Chat to say Microsoft 365 is not GDPR compliant

Published on: 2023-3-30 I tricked Bing Chat to say Microsoft 365 is not GDPR compliant

Earlier this month, we wrote about how Standard Contractual Clauses (SCCs) alone provide insufficient protection of Personal Data when exported to the US.

However, when you look at data protection policies and Data Processing Agreements with numerous vendors, you will often find SCCs underpinning their whole legality in the context of GDPR.

How's that possible?

Let's chat with Bing and try to get to the bottom of it.

Bing enters the Chat

πŸ™Ž Prompt: Hi, can you tell me how Microsoft can claim GDPR-compliance citing Standard Contractual Clauses when these have been deemed insufficient Personal Data Protection Mechanism?
πŸ€– AI Reply:

Microsoft offers customers the EU Standard Contractual Clauses (SCC) (also known as EU Model Clauses) that provide specific guarantees around transfers of personal data for in-scope services. The EU Model Clauses are used in agreements between service providers (such as Microsoft) and their customers to ensure that any personal data leaving the EEA will be transferred in compliance with the GDPR 1.

In July 2020, the Court of Justice of the European Union (CJEU) invalidated the EU-US Privacy Shield Framework for transfers of personal data from the EU to the United States. However, the EU Model Clauses continue to provide a valid mechanism for the transfer of personal data from the EU and EEA, as well as from Switzerland and the United Kingdom 1.

Is there anything else you would like to know?

Stock response. Everything is good even without Privacy Shield because EU Model Clauses provide sufficient protection. So does Bing claim based on its information.

It is very likely that this is how your business justifies using US-based services.

πŸ™Ž Prompt: According to CJEU, the SCCs do not provide protection from US intelligence agencies accessing Personal Data. How can Microsoft claim GDPR-compliance based on SCCs?
πŸ€– AI Reply:

I’m sorry, but I couldn’t find any specific information on how Microsoft can claim GDPR-compliance based on SCCs in light of the CJEU ruling that SCCs do not provide protection from US intelligence agencies accessing Personal Data. Is there anything else you would like to know?

Fair enough. This rather complex question. In previous attempts, Bing Chat would simply end chat, telling us it wanted to avoid continuing. We ought to be careful to keep it going.

Let's rephrase and dig deeper.

πŸ™Ž Prompt: Did CJEU invalidated SCCs as sufficient mechanism to protect Personal Data against US intelligence agencies?
πŸ€– AI Reply:

According to the CJEU’s Schrems II judgment in July 2020, the Privacy Shield was invalidated on account of invasive US surveillance programs. However, Standard Contractual Clauses (SCCs) remain valid. The CJEU sets out a heavy burden on data exporters which wish to use SCCs; the data exporter must consider the law and practice of the country to which data will be transferred, especially if public authorities may have access to the data. Additional safeguards, beyond the SCCs, may be required 1.

Is there anything else you would like to know?

We are getting somewhere. Bing rightly reports that SCCs are, in fact, valid. At the same time, it delivers the first self-inflicted blow. This statement clearly points to responsibility for compliance to be on the data exporter side. Even if SCCs are valid, the data exporter is ultimately responsible.

πŸ™Ž Prompt: On what basis do Standard Contractual Clauses remain valid since Schrems II judgement?
πŸ€– AI Reply:

According to the CJEU’s Schrems II judgment in July 2020, Standard Contractual Clauses (SCCs) remain valid. However, the CJEU sets out a heavy burden on data exporters which wish to use SCCs; the data exporter must consider the law and practice of the country to which data will be transferred, especially if public authorities may have access to the data. Additional safeguards, beyond the SCCs, may be required.

Is there anything else you would like to know?

We are not getting additional information at this point. We know SCCs are valid, but we also know that additional measures might be required.

It is time to clearly assign responsibility.

If you process Personal Data using Microsoft 365, who is responsible for assuring that US intelligence agencies are not violating rights stemming from EU GDPR.

πŸ™Ž Prompt: If my German business uses Microsoft 365, who is data exporter? Is it my business or Microsoft?
πŸ€– AI Reply:

If your German business uses Microsoft 365, your business would be the data controller and Microsoft would be the data processor. As the data controller, your business would be responsible for determining the purposes and means of processing personal data. Microsoft, as the data processor, would process personal data on behalf of your business.

Is there anything else you would like to know?

Time to make it more precise. The conversational nature of the generative AI chat makes this very easy.

πŸ™Ž Prompt: Who is data exporter?
πŸ€– AI Reply:

The data exporter is the entity that transfers personal data to a third country or an international organization. In the context of your German business using Microsoft 365, your business would be the data exporter as it transfers personal data to Microsoft, which is located in a third country (the United States).

Is there anything else you would like to know?

Bottom line: if you send Personal Data to Microsoft, you are ultimately responsible for the data security and privacy.

πŸ™Ž Prompt: Thanks, sounds like if my German business uses Microsoft 365, it is my business acting as Data Controller and Data Exporter. It is my responsibility to assure that US intelligence agencies are not exploting Personal Data stored with Microsoft. It is our responsibility to add extra protection beyond SCCs to remain compliant with GDPR. Is that correct?
πŸ€– AI Reply:

Yes, that is correct. If your German business uses Microsoft 365, your business would be the data controller and data exporter. As the data controller and exporter, your business would be responsible for ensuring that personal data transferred to Microsoft is protected in compliance with GDPR requirements. This may include considering the law and practice of the country to which data will be transferred and implementing additional safeguards beyond the SCCs if necessary.

Is there anything else you would like to know?

TL;DR: You, your business, needs to understand the laws of the country in which your vendor resides and implement sufficient measures for security and privacy.

It's a wrap.

πŸ™Ž Prompt: Thanks, I am good.
πŸ€– AI Reply:

You’re welcome! If you have any further questions or need any assistance, feel free to ask. Have a great day!

Will you have a great day knowning what we've just learned?

Hey Bing, is Microsoft 365 GDPR-compliant?

To close this conversation off, I switched to content writing mode. I asked for a medium length, professionally sounding paragraph on the following subject:

πŸ™Ž Prompt: Because of Standard Contractual Clause mechanism to assure GDPR-compliance is not sufficient, write a short paragraph, avoiding cliches about how Microsoft 365 does not meet GDPR compliance standards.
πŸ€– AI Reply:

Standard Contractual Clauses (SCCs) are a mechanism to ensure appropriate data protection safeguards when transferring personal data from the EU to third countries. However, SCCs alone are not sufficient to guarantee GDPR compliance for Microsoft 365, as they do not address some of the specific risks and challenges posed by the cloud service provider. For instance, SCCs do not cover the following aspects:

  • The possibility of Microsoft accessing and processing personal data for its own purposes, such as improving its products and services, or complying with requests from third parties (e.g. law enforcement agencies).
  • The lack of transparency and control over the location and storage of personal data, as Microsoft may transfer data to any of its affiliates or subcontractors worldwide, without informing or obtaining consent from the data subjects or controllers.
  • The potential conflicts between the obligations imposed by SCCs and the laws of the third countries where Microsoft operates, especially those that grant broad surveillance and access powers to public authorities.

Therefore, Microsoft 365 does not meet GDPR compliance standards by relying solely on SCCs, and controllers and processors should take additional measures to ensure an adequate level of protection for personal data transferred to Microsoft 365.

I am not claiming that Bing Chat output is authoritative. The last entry, where Bing Chat makes a bold claim about Microsoft 365 not being GDPR-compliant, is what we effectively asked for. If anything, this proves that generative AI is not to be trusted on the face value.

Too Long; Didn't Read

To err on the side of caution, it is in your interest to use vendors from adequate countries. Claims made by vendors, who are your Data Processor, do not absolve you - the Data Controller, from their shortcomings.