European Commission broke its own data privacy law with Microsoft 365 use

The European Commission has been reprimanded for infringing its own data protection regulations when using Microsoft 365.

The rebuke came from the European Data Protection Supervisor (EDPS) and is the culmination of an investigation that kicked off in May 2021, following the Schrems II judgement.

According to the EDPS, the EC infringed several data protection regulations, including rules around transferring personal data outside the EU / European Economic Area (EEA.)

According to the organization, "In particular, the Commission has failed to provide appropriate safeguards to ensure that personal data transferred outside the EU/EEA are afforded an essentially equivalent level of protection as guaranteed in the EU/EEA.

"Furthermore, in its contract with Microsoft, the Commission did not sufficiently specify what types of personal data are to be collected and for which explicit and specified purposes when using Microsoft 365."

While the concerns are more about EU institutions and transparency, they should also serve as notice to any company doing business in the EU / EEA to take a very close look at how it has configured Microsoft 365 regarding the EU Data Protection Regulations.

Wojciech Wiewiórowski, the European Data Protection Supervisor, said: "It is the responsibility of the EU institutions, bodies, offices and agencies (EUIs) to ensure that any processing of personal data outside and inside the EU/EEA, including in the context of cloud-based services, is accompanied by robust data protection safeguards and measures.

"This is imperative to ensure that individuals' information is protected."

The EC has been ordered to suspend all data flows through the use of Microsoft 365 to Microsoft and any of its tentacles that might reside outside the EU / EEA and not covered by an adequacy decision. The EC must also make its processing operations with Microsoft 365 compliant, and has a deadline of December 9, 2024, to demonstrate compliance.

The latter order gives an insight into the seriousness of the infringements. Corrective actions in order to ensure compliance include a transfer-mapping exercise to identify what personal data is transferred to which recipients in which third countries and to ensure the types of personal data are sufficiently determined in relation to the purposes for which they are processed.

• Euro-cloud consortium issues ultimatum to Microsoft: Fix your licensing or else
• Google dresses up services for the EU's Digital Markets Act
• Privacy Framework draft isn't 'future-proof', say MEPs
• UK-US data deal could hinge on fate of legal challenges to EU arrangement

According to the EDPS' findings: "Many of the infringements found concern all processing operations carried out by the Commission, or on its behalf, when using Microsoft 365, and impact a large number of individuals."

The problem appears to be more on the doorstep of the EC and how it is using Microsoft 365 rather than the Windows behemoth itself.

A spokesperson for Microsoft said: "Our customers in Europe can continue to use Microsoft 365 in full compliance with the GDPR and can count on our continued support and guidance.

"Concerns raised by the European Data Protection Supervisor relate largely to stricter transparency requirements under the EUDPR, a law that applies only to the European Union institutions. We will review the EDPS' decision and work with the European Commission to address the remaining concerns." ®