Never Trust Anyone Claiming ‘90% Certification’ for GDPR

You are all clever, well-informed people. That is why you choose to read Commsrisk. So you already know why not to trust anyone claiming their business is 90 percent certified for the EU’s General Data Protection Regulation (GDPR). You know that:

  • you either deserve the whole of a certificate or none of it; and
  • there is no certification mechanism for GDPR anyway.

At the same time, you are generous people who work in a global industry. You all speak English, but you are tolerant of the slips made when people who are technically competent are trying to express themselves in a language that is not their native tongue. When somebody says their business is 90 percent certified for GDPR, you know that the meaning of those words in English is not the same as the meaning that the speaker probably intended. Only a petty fool would pick on somebody for using those words in front of an audience. I am not that petty. But nevertheless…

One reason I have to share this story is because the claim of 90 percent certification was made by an employee of Microsoft, which is a very big business, as he was trying to aggressively sell Microsoft’s services, which was very annoying. Microsoft know plenty about aggressive sales tactics. Those tactics have helped to make Microsoft the 69th biggest business in the world, per Fortune’s Global 500. They have also resulted in Microsoft paying a total of EUR2bn (USD2.4bn) in anti-trust fines to the European Union.

Microsoft processes a lot of data. In the cloud. Across borders. Those are also reasons to ask pertinent questions about Microsoft’s commitment to data protection. So maybe, when they select speakers who will tell an audience of risk managers in the telecoms industry about why they should rely upon Azure, Microsoft’s cloud computing service, they should give the speaker some advice about data protection. Probably they should discourage the speaker from making claims that sound like utter nonsense. And maybe they should tell their representatives to tone down the sales hype, especially if the speaker has not mastered all the topics they are talking about. Because maybe the audience will contain somebody like me, who asks awkward questions when speakers make claims that are almost certainly wrong.

I will omit the name of the unfortunate Microsoft employee; his misfortune was to have somebody like me in the audience. However, his failure belongs to his employer, because it is probably symptomatic of Microsoft’s unwillingness to educate its staff properly. Nothing will be gained by shaming a poorly-trained individual who only knows how to parrot the garbage produced by his marketing department. It is only fair to observe that he was sincere and that he tried to be helpful. He genuinely did his best to explain why I should not worry about Microsoft’s attitude to data protection. So although he dashed away from the event immediately after finishing a presentation that was considered boring and irrelevant by every audience member near me, he deserves some praise for later making time to write me an email. That email was meant to reassure me that Microsoft is a decent business that actually cares about data protection. He also attached a document which was meant to show how Microsoft Azure supports integrity more generally. That was his goal, at least. It was only when I read the email and the document that I realized I should warn people about the way Microsoft behaves. Because if I was writing on behalf of Microsoft, I would definitely not assert that:

Azure has, probably by far, the deepest and most comprehensive compliance coverage in the industry.

I would not write that sentence because it is a little immodest, as well as being wholly unverifiable. Instead of thinking “Azure probably is the best cloud service for GDPR compliance” I reached a different conclusion. I felt that Microsoft must employ some of the most arrogant, complacent, cocksure people imaginable. And if they are that arrogant, complacent, and cocksure, it explains why they stand in front of intelligent audiences and proceed to make stupid claims which cannot possibly be true. And those are all good reasons not to trust Microsoft with your data.

But it would have still been too hasty to write a condemnatory article. I should, at the very least, have spent ten minutes reading the 55-page document that came attached to the email. That document is called “Microsoft Azure Compliance Offerings” and is dated May 2018. If I went ten minutes without finding an issue I would have concluded the whole document to be reliable. So you can imagine how I felt when I found something wrong with the document within three minutes of scanning through it.

…Microsoft Azure has been certified by the Federation Against Copyright Theft (FACT) in the United Kingdom…

…Customers can download the Azure FACT certificate.

If I was going to boast about certificates in a document dated May 2018, I would check if I was linking to a certificate that expired in March 2017.

Those interested in GDPR would already know to flick to the section which discusses how Microsoft Azure complies with the EU-US Privacy Shield. The Privacy Shield is the successor to the ‘Safe Harbor’ for personal data which suddenly collapsed after many years of everyone relying upon it. Because you are well informed, you know it was judged to be invalid by the EU’s top court because of the simple matter of the USA clearly not complying with the legal obligations supposedly imposed by the EU. Privacy Shield solved that problem by changing almost nothing except a few words here and there, because more significant changes would have been inconvenient. Nevertheless, we are told:

Microsoft and its controlled U.S. subsidiaries (Microsoft) comply with the EU-U.S. Privacy Shield Framework as set forth by the U.S. Department of Commerce regarding the collection, use, and retention of personal information transferred from the European Union to the United States. Microsoft has certified to the Department of Commerce that it adheres to the Privacy Shield Principles.

Is this a certification that supports Microsoft’s claim to be 90 percent certified to GDPR? Only if you trust certificates which have been validated by self-assessment, a critical weakness of the Privacy Shield which is not mentioned in Microsoft’s document.

If I kept on reading Microsoft’s document I might find other reasons to question their openness and diligence, but what would be the point? Microsoft wrote this document to boost sales of Azure, not to give an accurate picture of the risks of using their service, and certainly not to empower individuals whose personal data might be abused. That is why it exaggerates the trust you can place in Microsoft Azure, just as it exaggerates the value of the laws and the certificates it refers to.

There is a good reason to rely on Microsoft to manage personal data, but it is not one they will state out loud. No government in Europe will want to punish your business if it means starting a fight with Microsoft first, because the US government will defend Microsoft as far as they possibly can. That is why gimmicky laws like the EU-US Privacy Shield only require US businesses to self-assess their own compliance. When it comes to data protection, the EU and the USA have long complied with their own version of don’t ask, don’t tell.

The US government will have no desire to damage one of their country’s biggest earners and tax generators just to appease some idiot European politicians, and the idiot European politicians have no desire to draw attention to how bogus their promises are. So whilst some smaller European businesses may be penalized for failing to comply with GDPR, big corporations like Microsoft will likely obtain a free pass, so long as they pay sufficient lip service to the rules and encourage everyone else to take them seriously. And that is the real reason you should never trust anyone willing to make the absurd claim that they are already 90 percent certified as compliant with GDPR.

Eric Priezkalns
Eric Priezkalns
Eric is the Editor of Commsrisk. Look here for more about the history of Commsrisk and the role played by Eric.

Eric is also the Director of the Risk & Assurance Group (RAG), a global association of professionals working in risk management and business assurance for communications providers.

Previously Eric was Director of Risk Management for Qatar Telecom and he has worked with Cable & Wireless, T‑Mobile, Sky, Worldcom and other telcos. He was lead author of Revenue Assurance: Expert Opinions for Communications Providers, published by CRC Press. He is a qualified chartered accountant, with degrees in information systems, and in mathematics and philosophy.