EC broke Union data protection laws while using Microsoft 365 services

EDPS didn't blame Microsoft but EU for this non-compliance

News

Reading time icon 2 min. read

Calendar icon Published on

by Srishti Sisodia 

published on

Share this article

Readers help support Windows Report. We may get a commission if you buy through our links. Tooltip Icon

Read our disclosure page to find out how can you help Windows Report sustain the editorial team Read more

EC broke Union data protection laws while using Microsoft 365 services

According to the European Data Protection Supervisor (EDPS), the European Commission didn’t abide by several important data protection rules under European Union data protection laws while using Microsoft 365 services.

The EDPS is an independent body that is responsible for conducting data protection audits within EU institutions and can issue corrective measures to rectify violations.

Wojciech Wiewiórowski, EDPS, said:

It is the responsibility of the EU institutions, bodies, offices and agencies (EUIs) to ensure that any processing of personal data outside and inside the EU/EEA, including in the context of cloud-based services, is accompanied by robust data protection safeguards and measures. This is
imperative to ensure that individuals’ information is protected, as required by Regulation (EU) 2018/1725,
whenever their data is processed by, or on behalf of, an EU.

The investigation’s key findings indicate that EC failed to specify in its contract with Microsoft the types of data that could be collected and mention the purpose of the same.

Furthermore, the EC didn’t implement adequate safeguards concerning the transfer of data outside the European Union area, an important aspect of ensuring the protection of individuals’ personal information.

The European Data Protection Supervisor ordered the European Commission to bring its use of Microsoft 365 services into compliance with the EU’s stringent data protection regulations. It also informed that Microsoft 365 data flows that don’t adhere to the regulations will be suspended effective December 9, 2024.

The breach occurred over a three-year period, starting on May 21, 2021, and ending with the EDPS decision on March 8, 2024.

The European Data Protection Supervisor said the EC failed to ensure proper contractual specifications with Microsoft as the EC didn’t clarify the use of data and didn’t blame Microsoft for this.

As EDPS found the EU at fault, it enforced EU regulation 2018/1725 on the processing of personal data, which shows how important robust data protection measures are, especially when working with external service providers.

This incident reminds people doing business in Europe to pay attention to all the tiny contractual details and adhere to the regulatory framework to avoid problems in the future.

What are your thoughts on the matter? Share your opinions in the comments section below.

More about the topics: Microsoft 365

Srishti Sisodia

Srishti Sisodia Shield

Windows Software Expert

Srishti Sisodia is an electronics engineer and writer with a passion for technology. She has extensive experience exploring the latest technological advancements and sharing her insights through informative blogs. Her diverse interests bring a unique perspective to her work, and she approaches everything with commitment, enthusiasm, and a willingness to learn. That's why she's part of Windows Report's Reviewers team, always willing to share the real-life experience with any software or hardware product. She's also specialized in Azure, cloud computing, and AI.