The European Data Protection Supervisor revealed that the European Commission has infringed several data protection laws when using Microsoft 365.
The Commission breached the European Union’s (EU) regulation 2018/1725, which handles the data practices of EU bodies, agencies, and offices. Under the regulation, the Commission:
- Failed to provide appropriate safeguards to ensure that personal data transferred outside the EU and European Economic Area was afforded an equivalent level of protection as is guaranteed within the EU and European Economic Area, and
- Failed to sufficiently specify what types of personal data were to be collected and for what explicit and specific purpose in its contract with Microsoft for the use of Microsoft 365.
These breaches consisted of 11 infringements against the regulations, with the European Data Protection Supervisor taking several corrective actions against the Commission, including:
- Suspending all data flows resulting from the Commission’s use of Microsoft 365 to Microsoft and its affiliate and sub-processors located in countries outside the EU and European Economic Area not covered by an adequacy decision, and
- Bringing all processing operations resulting from the Commission’s use of Microsoft 365 into compliance with the regulation.
The European Data Protection Supervisor has taken a strong stance on these data malpractices to highlight that no matter the size or role of an entity, it will always remain subject to data protection laws within the EU, even when using a common tool such as Microsoft 365.
Compliance with these corrective actions must be demonstrated by the Commission by 9 December 2024.
For a full reading of the media release, see here.
