The European Commission is not complying with European data protection rules when using Microsoft 365 and must take action.

Europe finds that Europe is violating European data protection regulations. More specifically, the EDPS notes (European Data Protection Supervisor) has found that the European Commission is violating the provisions of the EUPRD through the use of Microsoft 365. The Commission must take action by December 9th. The directive in question is a variant of the GDPR that applies to European authorities.

Following an investigation, the EDPS found several violations. For example, the EU has not ensured that personal data is transferred from the European Economic Zone in a secure manner and with the same protection as in the EU. However, this is mandatory. In its contract with Microsoft for the use of Microsoft 365, the committee also did not specify with sufficient precision which personal data was collected and for what purpose.

Restrict data flow

All data flows to Microsoft or subcontractors outside the EU must be stopped by December 9th. Until then, the processing of data resulting from the use of Microsoft 365 must also be carried out in accordance with the rules. The EDPS has taken into account that the Commission has important tasks to fulfill and has therefore opted for a transition period until the end of the year. The European Commission has ten months to sort out its affairs.

“It is the responsibility of the EU institutions, bodies, bodies and agencies to ensure that any processing of personal data outside and within the EU/EEA, including in relation to cloud services, is supported by robust safeguards and measures Data protection is accompanied. “, says Wojciech Wiewiórowski of the EDPS “This is necessary to ensure that the data of natural persons are protected in accordance with Regulation (EU) 2018/1725 when their data is processed by or on behalf of a European institution.”

The EDPS opened an investigation against the Commission in May 2021 following the Schrems II ruling. The aim was to determine whether the committee adhered to the EDPS guidelines on the use of Microsoft 365. That doesn’t seem to be the case. The biggest problem seems to lie in the contractual terms. It is not the case that the committee is exporting mass amounts of personal data to the US, but it lacks the necessary safeguards to prevent this.