EU's Use of Microsoft 365 Found To Breach Data Protection Rules

An anonymous reader quotes a report from TechCrunch: A lengthy investigation into the European Union's use of Microsoft 365 has found the Commission breached the bloc's data protection rules through its use of the cloud-based productivity software. Announcing its decision in a press release today, the European Data Protection Supervisor (EDPS) said the Commission infringed 'several key data protection rules when using Microsoft 365.'
'The Commission did not sufficiently specify what types of personal data are to be collected and for which explicit and specified purposes when using Microsoft 365,' the data supervisor, Wojciech Wiewiorowski, wrote, adding: 'The Commission's infringements as data controller also relate to data processing, including transfers of personal data, carried out on its behalf.' The EDPS has imposed corrective measures requiring the Commission to address the compliance problems it has identified by December 9 2024, assuming it continues to use Microsoft's cloud suite. The regulator, which oversees' EU institutions' compliance with data protection rules, opened a probe of the Commission's use of Microsoft 365 and other U.S. cloud services back in May 2021.

The Commission confirmed receipt of the EDPB's decision and said it will need to analyze the reasoning 'in detail' before taking any decision on how to proceed. In a series of statements during a press briefing, it expressed confidence that it complies with 'the applicable data protection rules, both in fact and in law.' It also said 'various improvements' have been made to contracts, with the EDPS, during its investigation. 'We have been cooperating fully with the EDPS since the start of the investigation, by providing all relevant documents and information to the EDPS and by following up on the issues that have been raised in the course of the investigation,' it said. 'The Commission has always been ready to implement, and grateful for receiving, any substantiated recommendation from the EDPS. Data protection is a top priority for the Commission.'

'The Commission has always been fully committed to ensuring that its use of Microsoft M365 is compliant with the applicable data protection rules and will continue to do so. The same applies to all other software acquired by the Commission,' it went on, further noting: 'New data protection rules for the EU institutions and bodies came into force on 11 December 2018. The Commission is actively pursuing ambitious and safe adequacy frameworks with international partners. The Commission applies those rules in all its processes and contracts, including with individual companies such as Microsoft.' While the Commission's public statements reiterated that it's committed to compliance with its legal obligations, it also claimed that 'compliance with the EDPS decision unfortunately seems likely to undermine the current high level of mobile and integrated IT services.' 'This applies not only to Microsoft but potentially also to other commercial IT services. But we need to first analyze the decision's conclusions and the underlying reasons in detail. We cannot provide further comments until we have concluded the analysis,' it added.

Read more of this story at Slashdot.