Is European data protection now falling on the feet of the EU Commission?

On 8 March 2024, the European Data Protection Supervisor (EDPS) found that the European Commission's use of Microsoft 365 violates EU data protection directives and imposed remedial measures on it.

The question of whether the use of Microsoft 365 complies with data protection regulations has been the subject of controversial debate for some time now. The European Data Protection Supervisor (EDPS) has now given a clear answer to this and announced the result of his investigation into the use of Microsoft 365 by the EU Commission, which was launched in May 2021, in a press release: The EU Commission had violated several provisions of Regulation (EU) 2018/1725, which regulates data protection for the EU institutions. The contract between the Commission and Microsoft did not sufficiently define and specify which types of personal data are collected and processed for which explicit purposes when using Microsoft 365 and which data may be passed on to which recipients and for which purposes. In addition, the Commission had failed to provide adequate safeguards to ensure that personal data transferred to third countries received an adequate level of protection, particularly in the past before the adequacy decision with the USA came into force.

The EDPS has therefore instructed the Commission to suspend all data flows resulting from the use of Microsoft 365 to Microsoft and its affiliates and sub-processors in third countries by 9 December 2024 at the latest. Exceptions only apply to third countries that have a level of data protection comparable to that of the EU. Due to the entry into force of the EU-U.S. Data Privacy Framework in July 2023, the USA is currently one of the countries in which such a level of data protection exists. In addition, the Commission must bring its data processing using Microsoft 365 in line with the requirements of Regulation (EU) 2018/1725 by the aforementioned deadline and demonstrate the corresponding data protection compliance. The list of measures to be taken is comprehensive: The EDPS instructs the Commission to (i) create a data transfer mapping to determine which recipients receive which data in which third countries, for which purposes and with which protective measures, (ii) ensure that data is only processed on the instructions of the Commission as part of order processing and (iii) create contractual bases to comply with the requirements of purpose limitation and data minimisation, ensuring internal transparency regarding data processing and preventing the disclosure of personal data to state authorities outside the EEA.

This ruling by the EDPS does not mean that the use of Microsoft 365 is generally not legally compliant. Regulation (EU) 2018/1725, on which the decision is based, does not apply to private companies either. However, the GDPR applicable to them contains identical requirements for the integration of cloud service providers. This EDPB decision therefore emphasises and confirms the view already published by the German Data Protection Conference (DSK) and various supervisory authorities that controllers using Microsoft 365 are required to clearly specify in the data processing agreements with Microsoft which personal data is processed for which purposes via the cloud application and to obtain internal transparency regarding processing in third countries in order to implement appropriate measures there to ensure an adequate level of protection. Companies that use Microsoft 365 should therefore carry out a data protection review of how exactly personal data is processed by whom (including any subcontractors) when using the tool, to what extent Microsoft may even process data for its own purposes, how the right to issue instructions to Microsoft is contractually structured, what regulations are required for data erasure, how exactly the technical and organisational measures (TOMs) are to be designed and what further risk assessments, including any data protection impact assessment (DPIA), are required.