EU Commission’s Microsoft 365 Usage Breaches GDPR
The European Union’s Data Protection Supervisor (EDPS) recently revealed that the European Commission has not adhered to the bloc’s stringent data protection rules, specifically GDPR, in its use of Microsoft 365. The investigation, which commenced in May 2021, highlighted several key areas of concern, including the lack of specificity in the types of personal data collected, the purposes for data collection, and the inadequate safeguards for data transferred outside the EU/EEA. This scrutiny comes amid growing regulatory focus on how multinational corporations like Microsoft handle user data, especially in light of past concerns regarding data transfers to the U.S. and the absence of a solid data transfer agreement following the invalidation of the EU-U.S. Privacy Shield in July 2020.
In response to these findings, the EDPS has mandated the Commission to implement a series of corrective measures by December 9, 2024, provided it continues utilizing Microsoft’s cloud services. These measures include suspending all data flows to Microsoft and its affiliates located in countries without an EU adequacy decision, conducting a comprehensive data transfer-mapping exercise, and revising contracts with Microsoft to ensure data collection is strictly for explicit and specified purposes. Furthermore, the Commission is required to process data on documented instructions exclusively and prevent any further processing beyond the original collection purpose.
The EDPS’s decision underscores the imperative for EU institutions to uphold robust data protection safeguards, as enshrined in Regulation (EU) 2018/1725, to protect individuals’ information. This development comes as Microsoft endeavors to mitigate EU regulatory risks by expanding its data localization efforts through the “EU Data Boundary for the Microsoft Cloud.” However, this initiative, still in rollout, has been criticized for its potential to allow some data access outside the EU.
The European Commission has acknowledged the EDPS’s decision, committing to a thorough analysis before determining its next steps. It asserts compliance with applicable data protection rules and emphasizes its ongoing efforts to ensure the secure and lawful use of Microsoft M365 and other software. This situation highlights the challenges and complexities of navigating GDPR compliance in an era where cloud-based services are integral to operational efficiency but also pose significant privacy and data protection concerns.
Source: EU’s use of Microsoft 365 found to breach data protection rules | TechCrunch
