By Julia Tar | Euractiv Est. 6min 11-03-2024 (updated: 13-03-2024 ) Content-Type: News News Based on facts, either observed and verified directly by the reporter, or reported and verified from knowledgeable sources. [Tada Images/Shutterstock] Euractiv is part of the Trust Project >>> Languages: Français | DeutschPrint Email Facebook X LinkedIn WhatsApp Telegram Updates*Updated with comments from Microsoft and the European Commission. The European Commission violated data protection rules in its use of Microsoft 365, leading to the imposition of corrective measures by the European Data Protection Supervisor (EDPS), the watchdog announced on Monday (11 March). According to the EDPS, an independent supervisory authority ensuring that European institutions uphold privacy and data protection laws, the Commission violated several parts of the EU’s data protection regulation for institutions (Regulation 2018/1725). The law concerns data protection within the EU institutions, bodies, offices, and agencies (EUIs) and the processing of personal data by these entities, ensuring compliance with data protection principles and safeguarding individuals’ rights to privacy within the EU institutions. According to EDPS, the Commission neglected to ensure adequate safeguards for transferring personal data outside the EU or the European Economic Area (EEA). In its contract with Microsoft, the institution also failed to specify the types of personal data collected and the purpose of the data collection when using Microsoft 365, which includes collaboration and cloud-based services offered by Microsoft, including applications like Word, Excel, PowerPoint, Outlook, and online services such as OneDrive, Teams, and SharePoint. Four Apple and Microsoft services to be left out of Digital Markets Act The European Commission announced on 13 February that it decided not to designate Apple and Microsoft as gatekeepers for certain platform services under the Digital Markets Act. The Commission’s breaches as a data controller also extend to data processing, along with personal data transfers conducted on its behalf. Several violations involve all the Commission’s data activities, including those done through Microsoft 365, affecting many people, EDPS stated. “It is the responsibility of the EU institutions, bodies, offices and agencies (EUIs) to ensure that any processing of personal data outside and inside the EU/EEA, including in the context of cloud-based services, is accompanied by robust data protection safeguards and measures,” said the European Data Protection Supervisor, Wojciech Wiewiórowski. “This is imperative to ensure that individuals’ information is protected, as required by Regulation (EU) 2018/1725, whenever their data is processed by, or on behalf of, an EUI,” he added. Corrective measures As of December 9, 2024, the EDPS has instructed the Commission to stop sending data from its use of Microsoft 365 to Microsoft and its affiliates in non-EU/EEA countries without adequacy decisions. The Commission must also ensure its Microsoft 365 operations comply with Regulation 2018/1725 by the same date. To do this, the Commission will have to conduct a transfer-mapping exercise to detail personal data transfers, recipients, purposes, and safeguards. Moreover, it will also have to restrict third-country transfers to tasks within the controller’s competence and implement contractual provisions and organisational measures. This includes collecting personal data for explicit purposes, determining the types of data processed, and ensuring compliance with documented instructions and legal requirements. According to EDPS, personal data should not be used beyond its intended purposes unless permitted by law, data transmissions within the EU, or to Microsoft, or its partners adhere to EU data protection regulations, and personal data disclosures by Microsoft or its partners are restricted, except when required by EU or third-country law providing equivalent protection as in the EU. European Commission spokesperson Johannes Bahrke said during a press briefing that “the Commission has always been fully committed to ensuring that its use of Microsoft 365 is compliant with the applicable data protection rules and will continue to do so.” This also “applies to all other software acquired by the Commission,” he added. EU-US data transfer agreements: an endless disagreement? This week, Max Schrems, an Austrian lawyer and activist who launched the not-for-profit organisation NYOB, standing for None-of-Your-Business, joins Euractiv Tech brief podcast to talk about the European Union – United States Data Privacy Framework, the new transatlantic agreement allowing … The investigation The investigation into the Commission’s use of Microsoft 365 started in May 2021 after the Schrems II ruling, a landmark decision by the Court of Justice of the European Union about the transfer of personal data from the EU to third countries, focusing especially on data transfers to the United States and the adequacy of data protection and privacy measures in that context. The goal of the EDPS investigation is to verify compliance with EDPS recommendations on Microsoft’s products and services, part of the supervisor’s contribution to the 2022 Coordinated Enforcement Action of the European Data Protection Board (EDPB), which includes national data protection authorities representatives, as well as the EDPS. The 2022 Coordinated Enforcement Action of the EDPB was a joint effort by European data protection authorities to enforce data protection regulations, especially the EU’s supreme data privacy law, the General Data Protection Regulation (GDPR). Bahrke said that the Commission “is confident that it complies with the applicable data protection rules, both in fact and in law. Moreover, it put in place various improvements in the context of its contacts with the EDPS during the investigation.” Next steps The Commission spokesperson said they must “first analyse the decision’s conclusions and the underlying reasons in detail.” However, he added that “compliance with the EDPS decision unfortunately seems likely to undermine the current high level of mobile and integrated IT services. This applies not only to Microsoft but potentially also to other commercial IT services.” The watchdog noted that it acknowledges the Commission’s need to carry out its public duties without disruption, which is why it grants time for the EU body to suspend data flows and align data processing with regulation. However, EDPS’ current actions do not prevent it from taking further steps in the future if necessary. “Our customers in Europe can continue to use Microsoft 365 in full compliance with the GDPR and can count on our continued support and guidance,” a Microsoft spokesperson told Euractiv. “Concerns raised by the European Data Protection Supervisor relate largely to stricter transparency requirements under the EUDPR, a law that applies only to the European Union institutions. We will review the EDPS’ decision and work with the European Commission to address the remaining concerns,” the spokesperson added. In July, it was the Commission that opened a formal investigation on Microsoft over concerns the company might have bundled its collaboration product Teams with its productivity software part of the Office package. According to recent media reports, the Commission is also investigating whether Microsoft is obstructing customers from relying on specific security software offered by its competitors. [Edited by Zoran Radosavljevic] Read more with Euractiv In last-minute upset, France pitches new changes to gig work fileAs EU ambassadors were due to meet on Friday (8 March) to try to agree again a provisional deal on the platform work directive, France circulated a set of changes it wants to make to the text, throwing another spanner in the works for the ill-starred file.