In a groundbreaking ruling released today, the European Data Protection Supervisor (EDPS) announced that a thorough investigation into the use of Microsoft 365 by the European Union revealed multiple breaches of the bloc’s data protection rules. The EDPS, a regulatory body responsible for overseeing compliance with data protection laws within EU institutions, found that the Commission, as the data controller, had failed to adhere to key principles while utilizing the cloud-based productivity software.
“The Commission did not sufficiently specify what types of personal data are to be collected and for which explicit and specified purposes when using Microsoft 365,” the data supervisor, Wojciech Wiewiórowski, stated in his report. “The Commission’s infringements as data controller also relate to data processing, including transfers of personal data, carried out on its behalf.”
The EDPS has imposed corrective measures, giving the Commission until December 9, 2024 to address the identified compliance issues, assuming it continues to utilize Microsoft’s cloud suite. As of this writing, neither Microsoft nor the Commission has responded to the EDPS’ findings.
The investigation, which was launched in May 2021, focused on how Microsoft handles user data within its cloud service. The EDPS had previously raised concerns about the legality of Microsoft’s data processing methods, the lack of clarity in contracts for the product, and the absence of technical safeguards to ensure data is only used for necessary purposes. Additionally, the EDPS noted that during a significant portion of the investigation, there was no data transfer agreement in place between the EU and the US, after the EU-US Privacy Shield was struck down in July 2020.
However, a new transatlantic data transfer agreement was eventually reached and put into effect in July 2023, three years later. But the EDPS found that the Commission had failed to ensure adequate safeguards were applied to any data exports to countries outside the EU/EEA without an adequacy decision on data transfers. This is especially concerning as Microsoft’s servers are located in the US, and data from EU users regularly flows back to them.
As part of its corrective measures, the EDPS has ordered the Commission to suspend all data transfers resulting from its use of Microsoft 365 to Microsoft and its affiliates and sub-processors located in countries that lack adequacy decisions on data transfers. The Commission also has until December 9 to complete a data transfer-mapping exercise, identifying what personal data is being transferred to which recipients in which third countries, for what purposes, and with which safeguards. Additionally, the Commission must ensure that all transfers to non-EU countries without adequacy decisions are solely for the purpose of fulfilling tasks within the controller’s competence.
“It is the responsibility of the EU institutions, bodies, offices and agencies (EUIs) to ensure that any processing of personal data outside and inside the EU/EEA, including in the context of cloud-based services, is accompanied by robust data protection safeguards and measures,” stated Wiewiórowski in a statement. “This is imperative to ensure that individuals’ information is protected, as required by Regulation (EU) 2018/1725, whenever their data is processed by, or on behalf of, an EUI.”
The EDPS also found that the Commission had violated the “purpose limitation” principle of data protection rules by failing to properly determine the types of personal data collected under its licensing agreement with Microsoft Ireland. This has resulted in the Commission being unable to ensure that the data collected is specific and explicit.
As part of its corrective measures, the EDPS has ordered the Commission to improve its contracts with Microsoft, ensuring that they contain necessary provisions, organizational measures, and technical measures to restrict the collection of personal data to explicit and specified purposes. The contracts must also specify that Microsoft or its affiliates or sub-processors may only process data on the Commission’s documented instructions, or in cases where the processing takes place within the region and complies with EU or Member State law. Additionally, if data is processed outside the region for a purpose under third-country law, there must be equivalent protection in place. The contracts must also prohibit any further processing of the data beyond its original purpose.
While Microsoft has attempted to address regulatory concerns by expanding its data localization efforts for regional cloud customers, known as the “EU Data Boundary for the Microsoft Cloud,” this infrastructure is still being rolled out and currently allows for data to be accessible outside the EU. This will not be fully addressed until the end of 2021, according to Microsoft.
