The EU Commission has ruled that its use of Microsoft 365 infringes on the bloc’s data protection law, necessitating changes.

The EU has strict data protection laws, a stand that has raised issues when using US-based cloud providers and their services. The European Data Protection Supervisor (EDPS) has determined the Commission’s agreement with Microsoft does not afford data transferred outside the EU the necessary level of protection afforded by the data protection regulation.

In particular, the Commission has failed to provide appropriate safeguards to ensure that personal data transferred outside the EU/EEA are afforded an essentially equivalent level of protection as guaranteed in the EU/EEA. Furthermore, in its contract with Microsoft, the Commission did not sufficiently specify what types of personal data are to be collected and for which explicit and specified purposes when using Microsoft 365. The Commission’s infringements as data controller also relate to data processing, including transfers of personal data, carried out on its behalf.

The EDPS has ordered the Commission to suspend data flow related to its Microsoft 365 use, effective December 9, 2024.

The EDPS has therefore decided to order the Commission, effective on 9 December 2024, to suspend all data flows resulting from its use of Microsoft 365 to Microsoft and to its affiliates and sub-processors located in countries outside the EU/EEA not covered by an adequacy decision. The EDPS has also decided to order the Commission to bring the processing operations resulting from its use of Microsoft 365 into compliance with Regulation (EU) 2018/1725. The Commission must demonstrate compliance with both orders by 9 December 2024.

The date was chosen in an effort to ensure the Commission’s ability to carry out its duties was not crippled while the situation is resolved.

“It is the responsibility of the EU institutions, bodies, offices and agencies (EUIs) to ensure that any processing of personal data outside and inside the EU/EEA, including in the context of cloud-based services, is accompanied by robust data protection safeguards and measures,” said Wojciech Wiewiórowski, EDPS. “This is imperative to ensure that individuals’ information is protected, as required by Regulation (EU) 2018/1725, whenever their data is processed by, or on behalf of, an EUI.”