I am hearing of multiple orgs that ceased offering email services (SMTP and IMAP on an organizational domain) and instead force people to use the Microsoft-hosted email-like messaging service known as Outlook.

In each case, they say they are doing so in the name of compliance.

How can they claim this? Are they saying they will go into employees' inboxes and email archives to delete messages in case they get a request from correspondents asserting their rights as data subjects?

@jboy I would be very interested in hearing the reasoning behind this nonsense!

@IzzyOnDroid @jboy I believe any org can outsource to any other org that claims to be #GDPR compliant, and then the outsourced entity becomes the “data processor”. Perhaps this enables the org doing the outsourcing to avoid the burdon of data requests by simply passing those requests through to the outsourced entity (MS).

@jboy @IzzyOnDroid When the MX lookup of an org points to MS, I always make a “right to be forgotten” request and demand that my email address be removed from their records, so they cannot send me any more email via #Microsoft.

@jboy sounds like knee-jerk reaction triggered by worry and lack of understanding.

The use of proprietary mail clients {like Outlook} is not recommended! They harbor questionable data security!
Linux and Unix provide much more secure alternatives.
Die Verwendung von proprietären Mail-Clients {wie Outlook} ist nicht empfehlenswert.! Sie bergen eine fragwürdige Datensicherheit!
Linux und Unix stellen deutlich sicherere Alternativen zur Verfügung.

@jboy just to add.

- the MS hosted mail instance is Exchange, mostly as part of Office365.
- Outlook is the client on a device (app or browser) and sometimes organisations block the use of other clients. Untill now I saw this as an information-security practice, not as an data-protection measure per se.
- Organisations could procure another mailhoster and still be GDPR compliant ofcourse. Be it Exchange or something else. Depending on Data Processing Agreement etc.


- Giving data to datasubjects cant be offloaded to MS as far as I know. Exchange Admins within an organisation have all the means to do this themselves.
- Avoiding that by deleting messages doesnt depend on mail being hosted by MS.

@joeldebruijn Thanks. But are people that send email really considered "data subjects" under GDPR?

@jboy in principle, yes.
Because of contact information at least. Confidential message content just adds to that.

The focus on compliancy within the context of email is on the processing of mail for the people within an organisation and its customers. Random external people that willingly/freely send mail to an organisation on their own initiative are within scope, in principle.
But I dont see many GDPR enforcement/controls in that regard.

@omni @jboy I'm not sure but afaik:
- EU data cant be protected against US government data snooping if its hosted on /transported to US soil.
- Maybe EU data can be protected if its on EU soil and stays there. But it requires EU based legal entities at minimum.
- If a legal entity in EU hosts in EU and has a US mother company, it may not enough.

Above doesnt apply to US perse but everything outside EER.

@omni @jboy

This is problematic for MS:
- Their EU legal entity is in Ireland and their hosting is in EU for EU.
- They cant enforce EU protection if US demands otherwise.

@omni @jboy
Some of their services transport data to US even if its hosted on EU soil. For example your docx file maybe in Ireland but spellchecking is done in US. Also during first lockdowns when their cloud got used a lot more then before they had to balance compute globally (day and night use across continents etc meaning in EU compute was needed during the day when US data centers were idle or less peaking during the night.)

@omni @jboy

Mileage may vary but this is problematic for Google Suite for businesses also.

Adding to that: dutch DPIA showed that its harder for Google to seperate work/school life from home-consumerism.

When a student has a Chromebook and opens Chrome browser and uses the suite for school its ok they say. Wont use its data for adtech they promise.

One tab further watching a youtube vid for school ... Sorry adtech it is, you are just a consumer.

this is my take as well, but that the US has also been the main concern

@jboy My college forces us to use Gmail. (They forgot to disable automatic forwarding though).

@jforseth210 I think universities are probably the worst offenders when it comes to shenanigans like this.

@jforseth210 @jboy There’s nothing in the #GDPR that says they can’t outsource. The entity they outsource to simply becomes a “data processor”. I’ve noticed that even the #Belgian gov outsources email to #Microsoft in many cases, and they try to force you to interact with their email. But you can always reject that and send a letter in the post. It’s what I do.

@expat @jforseth210 right, I get that. But these orgs are claiming that they are providing restricted email-like service (outlook) in order to comply with GDPR.

@jboy @jforseth210 That seems to be a perverse side-effect of the GDPR which actually undermines privacy, but likely done so the org doing the outsourcing can escape some of the liability.

@expat @jforseth210 for sure, but I'm still not sure what kind of liability they are actually avoiding. What kinds of special rights do senders of email have under GDPR? Can they really demand to have their messages deleted? Under what circumstances?

@jboy @jforseth210 AFAIK email users don’t get any special rights, just what is written in the GDPR for all situations. The right to be forgotten has some limitations. E.g. you can’t demand that a creditor delete their records of your debt, or that a law enforcement office delete your criminal record. As long as the deletion request doesn’t impede their purpose they must honor it.

@jforseth210 @jboy I believe the EU has an email header retention law whereby all EU ESPs must retain the headers of all email passing through their systems. So a GDPR delete request should have immediate effect on the body of emails, but delayed effect on the metadata IIUC. Perhaps this is why email would be outsourced to large centralized companies… they can get those details right.

@jboy @jboy @jforseth210 You might find this interesting jboy → This article hints that bigger companies are more able to sustain a GDPR fine than small ones, so the big corps are more willing to put their necks on the line for business. Not email service related, but I think the same idea would apply.

@jboy It's digital capitalism. Much cheaper for org to outsource email hosting to a free outside surveillance user activity harvester. Also less risk and uncertainty. Soon it will be standard practice. Mail servers are a pain to admin.

Sign in to participate in the conversation

We are an instance for discussions around cultural freedom, experimental, new media art, net and computational culture, and things like that.

<svg xmlns="" id="hometownlogo" x="0px" y="0px" viewBox="25 40 50 20" width="100%" height="100%"><g><path d="M55.9,53.9H35.3c-0.7,0-1.3,0.6-1.3,1.3s0.6,1.3,1.3,1.3h20.6c0.7,0,1.3-0.6,1.3-1.3S56.6,53.9,55.9,53.9z"/><path d="M55.9,58.2H35.3c-0.7,0-1.3,0.6-1.3,1.3s0.6,1.3,1.3,1.3h20.6c0.7,0,1.3-0.6,1.3-1.3S56.6,58.2,55.9,58.2z"/><path d="M55.9,62.6H35.3c-0.7,0-1.3,0.6-1.3,1.3s0.6,1.3,1.3,1.3h20.6c0.7,0,1.3-0.6,1.3-1.3S56.6,62.6,55.9,62.6z"/><path d="M64.8,53.9c-0.7,0-1.3,0.6-1.3,1.3v8.8c0,0.7,0.6,1.3,1.3,1.3s1.3-0.6,1.3-1.3v-8.8C66,54.4,65.4,53.9,64.8,53.9z"/><path d="M60.4,53.9c-0.7,0-1.3,0.6-1.3,1.3v8.8c0,0.7,0.6,1.3,1.3,1.3s1.3-0.6,1.3-1.3v-8.8C61.6,54.4,61.1,53.9,60.4,53.9z"/><path d="M63.7,48.3c1.3-0.7,2-2.5,2-5.6c0-3.6-0.9-7.8-3.3-7.8s-3.3,4.2-3.3,7.8c0,3.1,0.7,4.9,2,5.6v2.4c0,0.7,0.6,1.3,1.3,1.3 s1.3-0.6,1.3-1.3V48.3z M62.4,37.8c0.4,0.8,0.8,2.5,0.8,4.9c0,2.5-0.5,3.4-0.8,3.4s-0.8-0.9-0.8-3.4C61.7,40.3,62.1,38.6,62.4,37.8 z"/><path d="M57,42.7c0-0.1-0.1-0.1-0.1-0.2l-3.2-4.1c-0.2-0.3-0.6-0.5-1-0.5h-1.6v-1.9c0-0.7-0.6-1.3-1.3-1.3s-1.3,0.6-1.3,1.3V38 h-3.9h-1.1h-5.2c-0.4,0-0.7,0.2-1,0.5l-3.2,4.1c0,0.1-0.1,0.1-0.1,0.2c0,0-0.1,0.1-0.1,0.1C34,43,34,43.2,34,43.3v7.4 c0,0.7,0.6,1.3,1.3,1.3h5.2h7.4h8c0.7,0,1.3-0.6,1.3-1.3v-7.4c0-0.2,0-0.3-0.1-0.4C57,42.8,57,42.8,57,42.7z M41.7,49.5h-5.2v-4.9 h10.2v4.9H41.7z M48.5,42.1l-1.2-1.6h4.8l1.2,1.6H48.5z M44.1,40.5l1.2,1.6h-7.5l1.2-1.6H44.1z M49.2,44.6h5.5v4.9h-5.5V44.6z"/></g></svg>