ENTERPRISE

EU’s Microsoft software usage breaks its own data privacy rules

11 Mar 2024

A silver laptop on a white table displaying the Microsoft 365 logo on its screen.

Image: © PhotoGranary/Stock.adobe.com

In an interesting turn of events, the EU data privacy watchdog has slapped the Commission with a warning after the latter’s use of Microsoft 365 was found to violate the bloc’s privacy rules.

The European Data Protection Supervisor (EDPS) has found that the EU Commission’s use of Microsoft 365 software has breached the region’s data protection laws.

The EU’s privacy regulator announced today (11 March) that the Commission must suspend all data flows resulting from its use of Microsoft 365 to Microsoft and to its affiliates and sub-processors located in countries outside the remit of the EU.

The EDPS has also ordered the Commission to bring the processing operations resulting from its use of Microsoft 365 into compliance with EU privacy rules. The Commission has until 9 December to ensure it is fully compliant with the EDPS’ regulations.

Wojciech Wiewiórowski, EDPS, said “It is the responsibility of the EU institutions, bodies, offices and agencies to ensure that any processing of personal data outside and inside the EU and EEA, including in the context of cloud-based services, is accompanied by robust data protection safeguards and measures. This is imperative to ensure that individuals’ information is protected.”

The EDPS initially opened its investigation into the Commission’s use of Microsoft 365 in 2021. The probe was linked to the Schrems judgement which concerned the data-sharing relationship between the EU and the US. It ruled that a tool called Privacy Shield, which the EU had been using to share personal data with Big Tech companies such as Microsoft and Amazon, was invalid.

In the intervening years between the investigation into the EU’s data transfer relationship with Microsoft specifically, the EU and the US did make some inroads in creating a proper framework for data sharing.

However, the EU’s usage of Microsoft 365 meant data was flowing through the Big Tech company’s servers in the US. In response to the EDPS’ ruling, the Commission said it would look into its data sharing methods and added it was grateful to the watchdog.

Find out how emerging tech trends are transforming tomorrow with our new podcast, Future Human: The Series. Listen now on Spotify, on Apple or wherever you get your podcasts.

Blathnaid O’Dea was a Careers reporter at Silicon Republic until 2024.

editorial@siliconrepublic.com