The European Protection Supervisor (EDPS) has concluded that the European Commission's use of Microsoft 365 infringed several EU data provisions covering the transfer of personal data outside the EU/EAA.
These regulations apply only to EU institutions' handling of data, and related transparency requirements.
According to the three year long probe, the EDPS concluded, "In its contract with Microsoft, the Commission did not sufficiently specify what types of personal data are to be collected and for which explicit and specified purposes when using Microsoft 365."
The EDPS has held that the Commission failed to provide appropriate safeguards to ensure that personal data transferred outside the EU/EEA isafforded an equivalent level of protection as guaranteed within the region.
It noted that, "the Commission’s infringements as data controller also relate to data processing, including transfers of personal data, carried out on its behalf."
See also: Microsoft customers are being targeted after Redmond's source code, secrets were stolen
The watchdog has ordered the Commission to "suspend all data flows through the use of Microsoft 365 to Microsoft and any of its affiliates and sub-processors that might be located in any country not covered by an adequacy decision."
The Commission has been given till December 9, 2024 to demonstrate compliance with this EDPS directive.
Responding to the EDPS ruling, a spokesperson for Microsoft told Reuters, "Concerns raised by the European Data Protection Supervisor relate largely to stricter transparency requirements under the EUDPR, a law that applies only to the European Union institutions."
The spokesperson said the directive and regulation only applied to EU institutions and users could continue to use Microsoft 365 as is.
In a press release, EDPS Wojciech Wiewiórowski, said: “It is the responsibility of the EU institutions, bodies, offices and agencies (EUIs) to ensure that any processing of personal data outside and inside the EU/EEA, including in the context of cloud-based services, is accompanied by robust data protection safeguards and measures."
"This is imperative to ensure that individuals’ information is protected, as required by Regulation (EU) 2018/1725, whenever their data is processed by, or on behalf of, an EUI,” he added.
Speaking to The Stack, Javvad Malik, lead security awareness advocate at KnowBe4, said the situation highlighted the increasing complexity and operational challenges organisations face in maintaining compliance with data protection regulations like GDPR.
"The stringent corrective actions demanded of the European Commission, including a halt in certain data flows and a comprehensive transfer-mapping exercise, illustrate the gravity with which these regulations are enforced," said Malik.
"For cybersecurity practitioners and organisations at large, the takeaway is clear: compliance is not a one-time task but a continuous journey that requires constant vigilance, assessment, and adaptation," he added.