The European Data Protection Supervisor (EDPS) has found that the European Commission violated data protection rules using Microsoft 365, prompting corrective measures. The EDPS revealed that the Commission failed to ensure adequate safeguards for transferring personal data outside the EU or the European Economic Area (EEA). The watchdog specified that the Commission's contract with Microsoft needed more clarity regarding the types of personal data collected and the purpose of data collection using Microsoft 365. The breaches extended to data processing and personal data transfers conducted on behalf of the Commission, impacting many individuals.
As a response, the EDPS has instructed the Commission to halt data transfers from using Microsoft 365 to Microsoft and its affiliates in non-EU/EEA countries without adequate decisions by 9 December 2024. The Commission must also ensure its Microsoft 365 operations comply with data protection regulations by conducting a transfer-mapping exercise, restricting third-country transfers, and implementing contractual provisions and organisational measures. The EDPS investigation, initiated in May 2021, was prompted by concerns about personal data transfer following the Schrems II ruling, focusing on data transfers to the United States.
The European Commission, in response, expressed its commitment to ensuring compliance with data protection rules in its use of Microsoft 365 and other software. The Commission will analyse the EDPS decision in detail but emphasise that compliance may undermine the current high level of mobile and integrated IT services. The EDPS acknowledges the Commission's need to carry out public duties without disruption, allowing time for the EU body to suspend data flows and align data processing with regulations.
Microsoft reassured European customers that Microsoft 365 fully complies with the General Data Protection Regulation (GDPR) and will collaborate with the European Commission to address concerns raised by the EDPS. In related investigations, the Commission is also examining Microsoft's bundling of Teams with Office and potential obstructions to customers relying on specific security software offered by competitors.