EU Finds Itself Guilty of Breaking Data Rules
A lengthy probe has found that the EU has infringed its own rules while using Microsoft 365
Now, this one is for posterity. An official body probing data security violations in the European Union has found itself guilty of breaking the bloc’s data protection rules by using cloud-based productivity software. The European Data Protection Supervisor (EDPS) found the EU guilty of infringing “several data protection rules” and imposed corrective measures.
The lengthy investigation was necessitated by the European Union’s use of Microsoft 365, a cloud-based productivity software suite. The EDPS said in a press statement that it found that the EU had infringed several provisions of the regulations under the data protection laws for institutions, bodies, offices and agencies, particularly those around personal data transfer outside of the European Economic Area.
How did the EU find the EU guilty?
“In particular, the Commission has failed to provide appropriate safeguards to ensure that personal data transferred outside the EU/EEA are afforded an essentially equivalent level of protection as guaranteed in the EU/EEA,” says the regulator which had opened a probe of the Commission’s use of Microsoft 365 and other US cloud services in May 2021.
Data supervisor Wojciech Wiewiórowski said the Commission did not sufficiently specify what types of personal data are to be collected and for which explicit and specific purposes when using Microsoft 365. The Commission’s infringements as data controller also relate to data processing, including transfers of personal data, carried out on its behalf.
What is the solution now?
The body imposed corrective measures requiring the Commission to address the compliance-related issues that were identified and fix them before December 9, 2024. Of course, this presupposes the fact that the Commission would continue to use Microsoft’s cloud suite in the future.
For several years now, EU regulators have been raising concerns over Microsoft processes around user data on its cloud services. They have questioned not only the legal basis for the company processing such data but also claimed lack of transparency in the contract wordings for the product and the absence of technical safeguards to ensure data protection.
What took the regulator so long to decide?
Of course, one may ask why the EDPS took so long to complete the probe. The fact is that there was no data transfer agreement between the EU and the US in 2020. A new transatlantic data transfer agreement was signed in July 2023. The order now says that the EU failed to secure additional safeguards to the data exports.
It has further ruled that the Commission should suspend all data flows resulting from the use of Microsoft 365 to the company and its affiliates and sub-processors located in countries outside of the EU and the EEA and not covered by an EU adequacy decision on data transfers. Once again the deadline is set for December 9 to ensure compliance.
What else must the EU do now?
The order also asks the EU authorities to carry out a data transfer-mapping process to identify “what personal data are transferred to which recipients in which third countries, for which purposes and subject to which safeguards, including onward transfers”. All of this squarely puts the onus on the European Commision to fix its contracts with Microsoft or such others.
Coming to the order itself, the Commission confirmed receipt of the EDPS’ orders and said it would analyze it in detail before deciding on how to proceed. The commission said it was confident that it complies with the applicable data protection rules, both in fact and in law, while also noting that improvements have been made to contracts.
“We have been cooperating fully with the EDPS since the start of the investigation, by providing all relevant documents and information to the EDPS and by following up on the issues that have been raised in the course of the investigation. The Commission has always been ready to implement, and grateful for receiving, any substantiated recommendation from the EDPS. Data protection is a top priority for the Commission, it noted.
