EU Watchdog Finds European Commission's Microsoft Use in Violation of Privacy Rules

In a significant development regarding data privacy compliance within the European Union (EU), the European Commission has been found in breach of EU privacy rules due to its use of Microsoft software. This finding follows a comprehensive three-year investigation by the European Data Protection Supervisor (EDPS), which concluded that the Commission has not implemented satisfactory measures to protect personal data when transferred to non-EU countries—particularly the United States.

The probe by the EDPS stems from longstanding concerns about the security of personal data transfers to the US, which were brought to international attention in 2013 by whistleblower Edward Snowden's revelations about extensive US surveillance practices. Since then, the secure handling and transmission of data have become even more critical areas of focus within EU institutions and member states.

The EDPS has explicitly pinpointed flaws in the contractual agreements between the European Commission and Microsoft. There is a lack of clarity on the kind of personal data collected and the specific purposes for which it is being used while utilizing Microsoft 365—a suite of tools including Word, Excel, PowerPoint, and Outlook. The implications of such loose parameters are troubling, raising fears about potential misuse and insufficient data protection compliance.

Critically, the watchdog has highlighted a failure to safeguard data when transferred outside of the European Economic Area (EEA), which encompasses all 27 EU member states plus Iceland, Liechtenstein, and Norway. The EU has existing data adequacy agreements with only 16 countries, and the concern is that personal data may not be receiving "an essentially equivalent level of protection" when processed by entities in other nations.

As a repercussion of this breach, the EDPS has instructed the European Commission to bring its data handling and processing practices in line with the stringent privacy standards set by the EU. The Commission is ordered to discontinue all data transfers stemming from its use of Microsoft 365 to the US company and associated subsidiaries or sub-processors situated in countries lacking an adequacy decision pertinent to privacy. The deadline for these actions has been set for December 9.

While the European Commission has yet to proffer a public response following the EDPS's ruling, Microsoft has acknowledged the decision and indicated its readiness to collaborate with the EU executive to address the concerns raised. A spokesperson referenced that the qualms voiced by the EDPS revolve largely around the more robust transparency requirements stipulated by the EU General Data Protection Regulation (GDPR), which is specifically applicable to EU institutions.

The EU executive faces significant pressure to adapt its practices to ensure that its engagement with Microsoft 365 fully aligns with EU privacy regulations. The broader significance of this development is indicative of the rigorous standards the EU upholds concerning data privacy and the repercussions institutions might face upon non-compliance.