EC broke Union data protection laws while using Microsoft 365 services

EDPS didn’t blame Microsoft but EU for this non-compliance

2 min. read

Published onMarch 12, 2024

published onMarch 12, 2024

Share this article

Read our disclosure page to find out how can you help Windows Report sustain the editorial teamRead more

According to theEuropean Data Protection Supervisor(EDPS), the European Commission didn’t abide by several important data protection rules under European Union data protection laws while using Microsoft 365 services.

The EDPS is an independent body that is responsible for conducting data protection audits within EU institutions and can issue corrective measures to rectify violations.

Wojciech Wiewiórowski, EDPS, said:

It is the responsibility of the EU institutions, bodies, offices and agencies (EUIs) to ensure that any processing of personal data outside and inside the EU/EEA, including in the context of cloud-based services, is accompanied by robust data protection safeguards and measures. This isimperative to ensure that individuals’ information is protected, as required by Regulation (EU) 2018/1725,whenever their data is processed by, or on behalf of, an EU.

The investigation’s key findings indicate that EC failed to specify in its contract with Microsoft the types of data that could be collected and mention the purpose of the same.

Furthermore, the EC didn’t implement adequate safeguards concerning the transfer of data outside the European Union area, an important aspect of ensuring the protection of individuals’ personal information.

The European Data Protection Supervisor ordered the European Commission to bring its use of Microsoft 365 services into compliance with the EU’s stringent data protection regulations. It also informed that Microsoft 365 data flows that don’t adhere to the regulations will be suspended effective December 9, 2024.

The breach occurred over a three-year period, starting on May 21, 2021, and ending with the EDPS decision on March 8, 2024.

The European Data Protection Supervisor said the EC failed to ensure proper contractual specifications with Microsoft as the EC didn’t clarify the use of data and didn’t blame Microsoft for this.

As EDPS found the EU at fault, it enforced EU regulation 2018/1725 on the processing of personal data, which shows how important robust data protection measures are, especially when working with external service providers.

This incident reminds people doing business in Europe to pay attention to all the tiny contractual details and adhere to the regulatory framework to avoid problems in the future.

What are your thoughts on the matter? Share your opinions in the comments section below.

With KB5043178 to Release Preview Channel, Microsoft advises Windows 11 users to plug in when the battery is low#

Copilot in Outlook will generate personalized themes for you to customize the app#

Microsoft will raise the price of its 365 Suite to include AI capabilities#

Death Stranding Director’s Cut is now Xbox X|S at a huge discount#

Outlook will let users create custom account icons so they can tell their accounts apart easier#

EC broke Union data protection laws while using Microsoft 365 services#

With KB5043178 to Release Preview Channel, Microsoft advises Windows 11 users to plug in when the battery is low

Copilot in Outlook will generate personalized themes for you to customize the app

Microsoft will raise the price of its 365 Suite to include AI capabilities

Death Stranding Director’s Cut is now Xbox X|S at a huge discount

Outlook will let users create custom account icons so they can tell their accounts apart easier

EC broke Union data protection laws while using Microsoft 365 services