Share this article on:
The European Commission (EC) has been called out for reportedly breaching data protection regulations through its use of Microsoft 365 and the way data is handled outside the EU.
Under EU data protection legislation, the transfer of personal data outside the EU and European Economic Area (EEA) is restricted.
The European Data Protection Supervisor (EDPS) found that the EC had violated a number of data protection regulations regarding the flow and processing of data outside the EU and failed to provide adequate shields to guarantee the protection of data.
“The EDPS has found that the commission has infringed several provisions of Regulation (EU) 2018/1725, the EU’s data protection law for EU institutions, bodies, offices and agencies (EUIs), including those on transfers of personal data outside the EU/European Economic Area (EEA),” the EDPS said in a press release.
“In particular, the commission has failed to provide appropriate safeguards to ensure that personal data transferred outside the EU/EEA are afforded an essentially equivalent level of protection as guaranteed in the EU/EEA.
“Furthermore, in its contract with Microsoft, the commission did not sufficiently specify what types of personal data are to be collected and for which explicit and specified purposes when using Microsoft 365.”
The EDPS has said that the infringements impacted a large number of people, and concern all processing operations the EC carries out.
“It is the responsibility of the EU institutions, bodies, offices, and agencies (EUIs) to ensure that any processing of personal data outside and inside the EU/EEA, including in the context of cloud-based services, is accompanied by robust data protection safeguards and measures. This is imperative to ensure that individuals’ information is protected,” says EDPS Wojciech Wiewiórowski.
Following this, the EDPS has demanded that the EC “suspend all data flows resulting from its use of Microsoft 35 to Microsoft and to its affiliates and sub-processors located in countries outside the EU/EEA not covered by an adequacy decision”.
It added that the EC has been ordered to fix the processing operations that result from Microsoft 365 use to comply with data protection regulations.
The EC is to comply with these orders by 9 December 2024.
Despite the EU data watchdog calling out the commission, the EDPS said it recognises the need for the EC to carry out operations in the name of public interest, and it aims to not interfere with its operations. It is for this reason it has given it so much time to adhere to the regulations.
“The measures imposed by the EDPS in its decision of 8 March 2024 are without prejudice to any other or further action that the EDPS may undertake,” the EDPS added.