EC broke Union data protection laws while using Microsoft 365 services

EDPS didn't blame Microsoft but EU for this non-compliance

Reading time icon 2 min. read


Readers help support Windows Report. We may get a commission if you buy through our links. Tooltip Icon

Read our disclosure page to find out how can you help Windows Report sustain the editorial team. Read more

EC broke Union data protection laws while using Microsoft 365 services

According to the European Data Protection Supervisor (EDPS), the European Commission didn’t abide by several important data protection rules under European Union data protection laws while using Microsoft 365 services.

The EDPS is an independent body that is responsible for conducting data protection audits within EU institutions and can issue corrective measures to rectify violations.

Wojciech Wiewiórowski, EDPS, said:

It is the responsibility of the EU institutions, bodies, offices and agencies (EUIs) to ensure that any processing of personal data outside and inside the EU/EEA, including in the context of cloud-based services, is accompanied by robust data protection safeguards and measures. This is
imperative to ensure that individuals’ information is protected, as required by Regulation (EU) 2018/1725,
whenever their data is processed by, or on behalf of, an EU.

The investigation’s key findings indicate that EC failed to specify in its contract with Microsoft the types of data that could be collected and mention the purpose of the same.

Furthermore, the EC didn’t implement adequate safeguards concerning the transfer of data outside the European Union area, an important aspect of ensuring the protection of individuals’ personal information.

The European Data Protection Supervisor ordered the European Commission to bring its use of Microsoft 365 services into compliance with the EU’s stringent data protection regulations. It also informed that Microsoft 365 data flows that don’t adhere to the regulations will be suspended effective December 9, 2024.

The breach occurred over a three-year period, starting on May 21, 2021, and ending with the EDPS decision on March 8, 2024.

The European Data Protection Supervisor said the EC failed to ensure proper contractual specifications with Microsoft as the EC didn’t clarify the use of data and didn’t blame Microsoft for this.

As EDPS found the EU at fault, it enforced EU regulation 2018/1725 on the processing of personal data, which shows how important robust data protection measures are, especially when working with external service providers.

This incident reminds people doing business in Europe to pay attention to all the tiny contractual details and adhere to the regulatory framework to avoid problems in the future.

What are your thoughts on the matter? Share your opinions in the comments section below.

More about the topics: Microsoft 365

User forum

0 messages