Microsoft tries to implement compliance with the GDPR in a variety of ways. This also includes finding technical solutions that are optimally legally recognized and also solve legal challenges. Particularly with the Windows operating system and its high usage, there are challenges as to whether there is shared responsibility and how Microsoft specifically handles the diagnostic data and telemetry. The BSI has already looked at this situation and published a guideline.
Now Microsoft came forward with a new solution as early as 2020. I reported here to already in May 2020 and saw the problem that this new possibility of the processing was unfortunately only possible from US data centers and one cannot solve so the challenge completely.
Now in July 2021 the local magazine in Redmond reports again about this solution described by me in May 2020, because a new article has appeared in the Microsoft Tech Community.
Concerns which services?
This configuration is currently only available for Windows 10. Windows 11 is not currently included and there won’t be more detailed information about it for another 2 years.
- Desktop Analytics,
- Update Compliance,
- Microsoft Managed Desktop
- Windows Update for Business
Configuration
It is possible to achieve the redirection of diagnostic data through technical configuration and, according to Microsoft’s interpretation, to clarify the relationship between processor and controller. It is now possible to process the data in your own Azure tenant and then send it.
Effects
The impact is that the customer is the controller and Microsoft is the processor (data processor). Through also the technical configuration and clarification, Microsoft wants companies to not reduce the diag data/telemetry to zero, but to be able to use WSUS and other services like Intune, enable it to a minimum. However, Microsoft Corp will continue to get this data as pseudonymized data when it is turned on. This also affects the time after 2022, when EU Border applies. Microsoft adheres here to the recommendations for data transfer to unsafe third countries of the edpb from July 2021.
If you need the telemetry and diagnostic data then this may be a possibility, whether this is sufficient will have to be the subject of a legal opinion.
Recommendations
With this configuration, it may be possible for you to go to a minimum in the settings to be able to use WSUS, SCCM and EndPoint Manager (Intune) without the challenge of shared responsibility.
Links
https://docs.microsoft.com/en-us/windows/privacy/windows-10-and-privacy-compliance