EU data protection authority says: EU Commission violates GDPR with Microsoft 365

Stop - Pixabay[German]Monday, March 11, 2024, the European Data Protection Supervisors (EDPS) publicly stated in a report that the European Commission has violated its own (data protection) regulations when using Microsoft 365. The EDPB panel has instructed the EU Commission to stop transferring data from the use of Microsoft 365 to Microsoft and its subsidiaries in non-EU/EEA countries without an adequacy decision as of December 9, 2024.


The topic of "Is Microsoft 365 GDPR-compliant" has been looming for years. I first addressed it for Germany in 2022, when the Data Protection Conference (DSK) determined that Microsoft 365 was not compliant with data protection regulations (GDPR). Anyone using the product is acting in breach of data protection regulations – at least as far as the standard configuration specified by Microsoft is concerned. Despite improvements, Microsoft had not managed to ensure the GDPR compliance of Microsoft 365 by 2022. This is the conclusion of the Data Protection Conference (DSK).

The Data Protection Conference (DSK) is the conference of the independent federal and state data protection authorities in Germany. The body deals with current data protection issues in Germany and gives its opinion on them.

We are now in the year 2024 and Microsoft is trumpeting its intention to use Copilot in all its products – a no-go for data protection. I am therefore waiting for the European Court of Justice (ECJ) to issue another "Schrems III" ruling, which declares the transfer of data outside the EU inadmissible if an equivalent level of data protection cannot be established.

Investigation since 2021

The EU Commission's investigation into the use of Microsoft 365 began in May 2021 after the judgment in the Schrems II case was handed down by the CJEU. In its landmark judgment, the Court of Justice of the European Union focused on the legality of the transfer of personal data from the EU to third countries, in particular the transfer of data to the United States and the adequacy of data protection and privacy measures in this context. The ECJ came to the conclusion that this transfer was not compliant with the GDPR.

The aim of the EDPS investigation is to verify compliance with the EDPS recommendations on Microsoft products and services. This is part of the supervisory authority's contribution to the 2022 Coordinated Enforcement Action of the European Data Protection Board (EDPB), which includes representatives of the national data protection authorities and the EDPB.


Final finding of March 11, 2024

Euroactive reports in the article EU Commission breached data protection rules using Microsoft 365, EU watchdog found that the European Data Protection Supervisors (EDPS) have concluded that the European Commission has breached data protection rules when using Microsoft 365. This includes breaches of several parts of the EU Data Protection Regulation for Institutions (Regulation 2018/1725).

The Regulation concerns data protection in the EU institutions, bodies, offices and agencies (EUI) and the processing of personal data by these bodies in order to ensure compliance with data protection principles and to protect the individual's right to privacy in the EU institutions.

According to the EDPS, the EU Commission failed to ensure adequate safeguards for the transfer of personal data outside the EU or the European Economic Area (EEA). In its contract with Microsoft, the EU Commission as an institution also failed to specify the types of personal data collected and the purpose of the data collection when using Microsoft 365. Microsoft 365 comprises collaboration and cloud-based services, including applications such as Word, Excel, PowerPoint, Outlook and online services such as OneDrive, Teams and SharePoint.

The infringements of the EU Commission as controller also extend to data processing and transfers of personal data carried out on its behalf. According to the EDPS, several breaches affect all data activities of the EU Commission, and also include activities carried out in Microsoft 365. This affects the personal data of many people, according to the EDPS.

"It is the responsibility of the EU institutions, bodies, offices and agencies (EUIs) to ensure that any processing of personal data outside and inside the EU/EEA, including in the context of cloud-based services, is accompanied by robust data protection safeguards and measures," said the European Data Protection Supervisor, Wojciech Wiewiórowski. "This is imperative to ensure that individuals' data is protected in accordance with Regulation (EU) 2018/1725 when their data is processed by or on behalf of an EUI." The press release from March 11, 2024 can be read here.

Time until December 2024 to fix that

The EDPS has instructed the EU Commission to stop transferring data from the use of Microsoft 365 to Microsoft and its affiliates in non-EU/EEA countries without an adequacy decision as of December 9, 2024. The EU Commission must also ensure that its Microsoft 365 operations comply with Regulation 2018/1725 by the same date. To this end, the Commission must carry out a transfer mapping exercise to detail the transfer of personal data, recipients, purposes and safeguards.

In addition, the EU Commission must limit transfers to third countries to tasks that fall under the responsibility of the controller. In addition, the EU Commission must implement contractual provisions and organizational measures. This includes collecting personal data for clear purposes, determining the types of data processed and ensuring compliance with documented instructions and legal requirements.

According to the EDPS, personal data should not be used beyond the intended purpose unless permitted by law, and data transfers within the EU or to Microsoft or its partners comply with EU data protection rules, and the disclosure of personal data by Microsoft or its partners is restricted unless required by EU law or the law of a third country providing an equivalent level of protection as in the EU.

The time until the beginning of December 2024 to correct the current situation takes into account that the data protection authorities recognize the Commission's need to perform its public duties without interruption. Now, however, the EU Commission must get its act together and finally conclude an agreement with Microsoft regarding the GDPR-compliant use of Microsoft 365. Whether this is even possible at the end of the day and will stand up to scrutiny by the ECJ is another matter.

Cookies helps to fund this blog: Cookie settings

This entry was posted in Office, Security and tagged , . Bookmark the permalink.

Leave a Reply

Your email address will not be published. Required fields are marked *