The Use of Microsoft Software by EU Commission Breached Privacy Rules, Watchdog Reports

The European Data Protection Supervisor (EDPS) announced on Monday that the European Commission’s use of Microsoft software violated EU privacy regulations. Additionally, the EDPS criticized the Commission for failing to implement adequate safeguards for personal data transferred to non-EU countries.

The EDPS ordered the Commission to rectify these issues, directing it to cease data transfers to Microsoft and its subsidiaries in third countries lacking privacy agreements with the EU. A deadline of December 9 was set for compliance with these directives.

This decision by the EDPS came after a three-year investigation prompted by concerns about the transfer of personal data to the United States, particularly following revelations in 2013 by former U.S. intelligence contractor Edward Snowden regarding mass surveillance by U.S. agencies.

Microsoft Logo at the Complex in Los Angeles

According to the EDPS statement, “The Commission has failed to provide appropriate safeguards to ensure that personal data transferred outside the EU/EEA are afforded an essentially equivalent level of protection as guaranteed in the EU/EEA.”

The European Economic Area (EEA), comprising the 27 EU countries along with Iceland, Liechtenstein, and Norway, was highlighted in the context of data protection.

Regarding the specifics of the Commission’s contract with Microsoft, the EDPS noted inadequacies in specifying the types of personal data to be collected and for what explicit purposes, particularly in its use of Microsoft 365, which encompasses various applications like Word, Excel, PowerPoint, and Outlook.

Microsoft 365 suite

Consequently, the EDPS ordered the Commission to suspend all data flows resulting from its utilization of Microsoft 365 to Microsoft and its affiliates and sub-processors located outside Europe in countries without adequacy decisions.

While the EU has data adequacy agreements with 16 countries, including Argentina, Japan, South Korea, Switzerland, Britain, and the United States, Microsoft 365 usage must comply with EU privacy regulations.

Although the Commission did not immediately respond to requests for comment, Microsoft stated its intention to review the EDPS decision and collaborate with the EU executive to address concerns.

A Microsoft spokesperson highlighted that the concerns raised by the EDPS primarily related to stricter transparency requirements under the EU General Data Protection Regulation (GDPR), which specifically applies to EU institutions. Additionally, the EU executive was urged to ensure that its utilization of Microsoft 365 aligns with privacy regulations.

Michael Manua
Michael Manua
Michael, a seasoned market news expert with 29 years of experience, offers unparalleled insights into financial markets. At 61, he has a track record of providing accurate, impactful analyses, making him a trusted voice in financial journalism.
Notify of
Inline Feedbacks
View all comments
Would love your thoughts, please comment.x