Federal Administration introduces public cloud-based application Microsoft 365
07.03.2023 - The Microsoft Office 2021 applications that are currently still run locally throughout the Federal Administration are to be replaced by the public cloud-based Microsoft 365 application. The FDPIC will provide supervisory support for the outsourcing project.
In a press release dated 15.2.2023, the Federal Council announced that the version of Microsoft Office currently used by the Federal Administration would have to be replaced because important applications had reached the end of their lifecycle and would no longer be supported by Microsoft in a few years' time (probably 2026). The situation regarding the follow-on products is exceptional because the Federal Administration will only be able to use them via a public cloud connection. At present, the Federal Administration is effectively dependent on Microsoft’s Office products. A change of provider and product is currently considered too risky and too costly due to the numerous dependencies on specialised applications. In order to reduce dependency in the medium and long term, the examination of alternatives to Microsoft 365 will continue. As part of an exit strategy, the Federal Chancellery’s Digital Transformation and ICT Steering Sector (DTI) is also examining open-source alternatives. The introduction of Microsoft 365 will have to be accompanied by protective measures; in particular, users will not be allowed to store particularly sensitive data and confidential documents in the Microsoft cloud.
The DTI involved the FDPIC in its preliminary work on the introduction of Microsoft 365, in particular by submitting to it the drafts of an analysis of the legal requirements and the ISDP (information security and data protection) concept. In his comments, the Commissioner stated, among other things, that in his opinion it was uncertain how long it would remain technically feasible to run certain applications in the federal government's own IT centres instead of in the cloud operated by the US company Microsoft, as the DTI project envisages today. In view of this uncertainty, the Commissioner requested that alternatives to Microsoft 365 be put forward that are less problematic from a data protection perspective. He went on to request that a more detailed analysis be made of whether a sufficient legal basis exists for the processing of personal data in the cloud operated by the US company, and whether the principle of proportionality is maintained. Finally, the FDPIC requested that the DTI prepare a comprehensive data protection impact assessment that transparently shows the risks of outsourcing to the cloud. In this context, the Commissioner considered it essential that the problem of possible access by the US security authorities to personal data processed by the Federal Administration in the Microsoft cloud be analysed in depth.
In view of its concerns, the FDPIC welcomes the fact that the Federal Chancellery disclosed in its press release the problem of economic and technological dependence on the US company Microsoft and is continuing to examine alternatives, in particular open-source alternatives as part of an exit strategy. The FDPIC will provide supervisory support for the outsourcing project as well as in analysing the results of the search for alternatives, as well as the data protection impact assessment, which is still outstanding.