The European Commission’s use of Microsoft software has raised significant concerns regarding compliance with EU privacy regulations. The EU privacy watchdog, the European Data Protection Supervisor (EDPS), highlighted breaches of privacy rules and the absence of adequate safeguards for personal data transferred to non-EU countries. The European Economic Area (EEA) consists of the 27 member states of the European Union, in addition to Iceland, Liechtenstein, and Norway.
The deadline for compliance, December 9, is stipulated in the EDPS’s mandate to the Commission, which emphasizes how urgent it is to rectify these issues. The verdict is the result of a comprehensive three-year study that was started in response to Edward Snowden’s 2013 disclosures, which revealed extensive US surveillance and raised concerns about the transfer of personal data to the US.
A primary critique posited by the European Data Protection Supervisor (EDPS) is the Commission’s inability to guarantee the same degree of protection for personal data transferred from within the EU/EEA to data transmitted outside of it. There are serious worries regarding the security and privacy of personal data due to this weakness in protective measures.
The EDPS also uncovered flaws in the Commission’s agreement with Microsoft, mainly in relation to the details of the kinds of personal data that are gathered and the precise uses of those data inside the Microsoft 365 suite. Concerns concerning accountability and openness in data processing procedures are brought up by this ambiguity.
The primary area of concern refers to how Microsoft manages customer data in its cloud service. Over the years, EU regulators have expressed concern over this matter on several occasions, mainly with regard to the legal basis Microsoft claims for data processing, the inconsistencies of the language used in its product contracts, and the lack of technical measures to ensure data is used only for maintenance and service provision.
Following the EU-U.S. Privacy Shield’s invalidation in July 2020, the EDPS started its inquiry without a data transfer agreement between the EU and the U.S. A new transatlantic data transmission agreement was not agreed upon and adopted until July 2023, three years later.
For a large portion of the time that the EDPS was investigating the Commission’s Microsoft 365 usage, there was no agreement in place controlling data transfers from the European Union to the United States. Nevertheless, regular use of Microsoft 365 resulted in data returning to Microsoft’s US servers.
In terms of data transfers, the EDPS came to the conclusion that the Commission had not provided sufficient protections for these exports, which prevented it from ensuring that data would be protected in a manner that was nearly equal once it left the EU.
As a result, the data supervisor has directed the Commission to stop sending any data to Microsoft, its affiliates, and sub-processors in non-EU/EEA nations that aren’t protected by an EU adequacy decision regarding data transfers, as a result of the Commission’s usage of Microsoft 365. The deadline for complying with this directive is December 9.
Furthermore, the Commission’s actions suggest that there is a need for increased vigilance in ensuring compliance with privacy rules across all data processing activities, even though the EU has data adequacy agreements with a number of nations, including Argentina, Japan, South Korea, Switzerland, Britain, and the United States.
Microsoft has stated that it will analyze the EDPS’s ruling and work with the EU executive to address any issues in response to these developments. To defend people’s rights to privacy and data protection, the Commission must, nevertheless, take proactive steps to guarantee that its use of Microsoft 365 and other software platforms complies with EU privacy legislation.
