First the “easy one”, Office 359 is already well beyond the 99.9% reliability for this year. Our on-prem solutions have had no downtime this year. Last year, we had about 2 hours of unplanned downtime. How can Microsoft hope to compete with such a poor availability record?
As to GDPR, or DSGVO as we call it (Datenschutzgrundverordnung), here we are responsible for the data. If we blab the data, that is our fault and we have to pay a fine, if we put it in the cloud and a cloud provider (E.g. Microsoft with Office 365) blabs the data, hands it over to the US Government or takes it out of the EU without getting the written permission of the identifiable entities in the data, we are still liable for the breach of GDPR and will still have to pay the fine.
With moving the data outside the EU, the data has to be stored in a land with equivalent data protection to the EU, the USA does not fall into this category. There was an agreement between the USA and the EU to replace Safe Harbor, which was deemed non-compliant. The new Data Shield sees the appointment of an Ombudsman in the USA as a pre-requisite but after over 18 months the USA Government has still failed to appoint an Ombudsman, which makes Data Shield non-compliant.
Then there is the matter of the FISA court, if Microsoft are presented with a FISA letter, they have to hand over the data, without informing their customers, that is a breach of contract and a breach of GDPR – Microsoft cannot hand over the data to the US Government without first getting the written permission of all identifiable entities, but the FISA letter prohibits them complying with the law. If Microsoft hand over the data and it comes out, the customer is liable to a minimum 24M€ fine.
Add to this the data slurping of Windows 10 and Office 365 (480 data providers in Windows in default configuration, 420 in “private” mode and still 4 in “secure” mode and several thousand data providers in Office 365), this data slurping has to be opt-in, but Microsoft doesn’t even offer an opt-out. The Dutch Government has given Microsoft until April to provide a compliant version of Office 365 for EU customers.
At work, we have Microsoft 365, mainly for the CALs. Office 365 Pro Plus is installed. No hybrid or Azure domain can be used. Teams, Exchange, Sharepoint and all other “cloudy” goodness is disabled by policy. Exchange, file servers and SQL Servers remain on-premises, mainly due to GDPR.
Given the uncertainty of the data storage, the legal problems and the low reliability at the current time, how is Microsoft going to make its cloud offerings attractive to potential customers?