A prolonged investigation into the European Union's use of Microsoft 365 found that the institution violated the bloc's data protection rules by using the cloud-based productivity software.
In a press release today, the European Data Protection Supervisor (EDPS) stated that the institution violated "key data protection principles when using Microsoft 365."
"The institution did not specify which types of personal data should be collected and processed for explicit and specific purposes when using Microsoft 365," wrote the data protection supervisor, Wojciech Wiewiorski, adding: "The violations of the institution as a data controller also relate to data processing, including transfers of personal data being carried out on its behalf."
The EDPS imposed corrective measures requiring the institution to address compatibility issues identified until December 9, 2024, assuming it continues using Microsoft's cloud package.
Contact was made with Microsoft and the institution for a response to the EDPS findings. However, as of writing these lines, no one has responded.
The regulator, overseeing the compliance of EU institutions with data protection rules, initiated an investigation into the institution's use of Microsoft 365 and other cloud services back in May 2021.
The issue at hand is how Microsoft processes user data in its cloud service. EU regulators have expressed concerns for years, including regarding the legal basis Microsoft claims for data processing; lack of clarity and precision in contractual wording; and insufficient technical safeguards to ensure data is used only for service provision and maintenance.
When the EDPS initiated the investigation, there was also no EU-US data transfer agreement following the invalidation of the Privacy Shield in July 2020.
A new transatlantic data transfer agreement was later agreed upon and adopted, two years later in July 2023. However, for a significant portion of the period during which the EDPS investigated the institution's use of Microsoft 365, there was no data transfer agreement covering data transfers from the EU to the US. Nevertheless, the use of Microsoft 365 routinely led to data flows back to Microsoft's servers in the US.
Regarding data transfers, the EDPS found that the institution failed to ensure appropriate safeguards were in place for the transfer of this data to ensure equivalent protections for the data post-exit from the bloc.
The data watchdog instructed the institution to halt all data flows resulting from its use of Microsoft 365 to Microsoft and its subprocessors located in countries outside the EU/EEA not covered by an adequacy decision of the EU on data transfers – again, with a deadline of December 9 for this.
Furthermore, they were instructed to carry out a data transfer mapping exercise – identifying "what personal data are transferred to whom in which third countries, for what purposes and subject to what safeguards, including onward transfers." They must ensure that all transfers to non-EU countries without an EU adequacy decision are made "only to enable the performance of tasks within the competence of the controller."
More broadly, the EDPS's corrective measures require the institution to amend its contracts with Microsoft – to ensure they contain contractual provisions, organizational and/or technical measures necessary to ensure that personal data is collected only for explicit and specified purposes; and "defined enough" regarding the purposes for which they are processed.
Additionally, the data must only be processed by Microsoft or its subprocessors "according to documented instructions from the institution," as per the order – unless they are processing within the area and the processing is for a purpose compliant with EU law or the laws of EU-affiliated countries; or, if processing outside the intended area for a different purpose under the law of a third country, must have equivalent protection in place.
The contracts must also ensure there is no further processing of data – i.e., uses beyond the original purpose for which the data was collected.
The EDPS found that the institution violated the principle of "purpose limitation" of data protection rules by failing to adequately specify the types of personal data collected under the licensing agreement it concluded with Microsoft Ireland, i.e., it could not ensure they were specific and explicit.
The European Union also did not provide sufficiently documented guidelines to Microsoft regarding processing; failed to ensure processing was limited by instruction; and failed to assess the continued processing of Microsoft for the purpose initially stated for collection, among others identified shortcomings by the EDPS.
In a statement, Wiewiorski wrote:
It is incumbent on European Union institutions, bodies, offices, and agencies (EUIs) to ensure that all processing of personal data within and outside the European Union/EEA, including in the context of cloud-based services, is accompanied by strong protective measures to safeguard data and means. It is essential to ensure that individuals' information is protected, as required by Regulation (EU) 2018/1725, whenever their data is processed by, or on behalf of, EUI.
In recent years, Microsoft has responded to the heightened regulatory risk of the European Union regarding data transfers by expanding its efforts for data localization focusing on regional cloud customers – branded as "EU Data Boundary for Microsoft Cloud." However, the technical infrastructure is still in the process of deployment. It also remains nascent in its design, as certain data will remain accessible outside the European Union even when deployment is expected to conclude by the end of the current year, according to Microsoft.
