The European Data Protection Supervisor (EDPS) announced on Monday that the European Commission’s use of Microsoft software violated EU privacy regulations. Additionally, the EDPS criticized the Commission for failing to implement adequate safeguards for personal data transferred to non-EU countries.
The EDPS ordered the Commission to rectify these issues, directing it to cease data transfers to Microsoft and its subsidiaries in third countries lacking privacy agreements with the EU. A deadline of December 9 was set for compliance with these directives.
This decision by the EDPS came after a three-year investigation prompted by concerns about the transfer of personal data to the United States, particularly following revelations in 2013 by former U.S. intelligence contractor Edward Snowden regarding mass surveillance by U.S. agencies.
According to the EDPS statement, “The Commission has failed to provide appropriate safeguards to ensure that personal data transferred outside the EU/EEA are afforded an essentially equivalent level of protection as guaranteed in the EU/EEA.”
The European Economic Area (EEA), comprising the 27 EU countries along with Iceland, Liechtenstein, and Norway, was highlighted in the context of data protection.
Regarding the specifics of the Commission’s contract with Microsoft, the EDPS noted inadequacies in specifying the types of personal data to be collected and for what explicit purposes, particularly in its use of Microsoft 365, which encompasses various applications like Word, Excel, PowerPoint, and Outlook.
Consequently, the EDPS ordered the Commission to suspend all data flows resulting from its utilization of Microsoft 365 to Microsoft and its affiliates and sub-processors located outside Europe in countries without adequacy decisions.
While the EU has data adequacy agreements with 16 countries, including Argentina, Japan, South Korea, Switzerland, Britain, and the United States, Microsoft 365 usage must comply with EU privacy regulations.
Although the Commission did not immediately respond to requests for comment, Microsoft stated its intention to review the EDPS decision and collaborate with the EU executive to address concerns.
A Microsoft spokesperson highlighted that the concerns raised by the EDPS primarily related to stricter transparency requirements under the EU General Data Protection Regulation (GDPR), which specifically applies to EU institutions. Additionally, the EU executive was urged to ensure that its utilization of Microsoft 365 aligns with privacy regulations.