EU’s use of Microsoft 365 found to breach data protection rules

A lengthy investigation into the European Union’s use of Microsoft 365 has found the Commission breached the bloc’s data protection rules through its use of the cloud-based productivity software.

Announcing its decision in a press release today, the European Data Protection Supervisor (EDPS) said the Commission infringed “several key data protection rules when using Microsoft 365”.

“The Commission did not sufficiently specify what types of personal data are to be collected and for which explicit and specified purposes when using Microsoft 365,” the data supervisor, Wojciech Wiewiórowski, wrote, adding: “The Commission’s infringements as data controller also relate to data processing, including transfers of personal data, carried out on its behalf.”

The EDPS has imposed corrective measures requiring the Commission to address the compliance problems it has identified by December 9 2024, assuming it continues to use Microsoft’s cloud suite.

Microsoft and the Commission were contacted for a response to the EDPS’ findings. But at the time of writing neither had responded.

The regulator, which oversees’ EU institutions’ compliance with data protection rules, opened a probe of the Commission’s use of Microsoft 365 and other US cloud services back in May 2021.

At issue is how Microsoft processes the data of users of its cloud service. EU regulators have been flagging concerns about this for years, including in relation to the legal basis Microsoft claims for processing data; a lack of clarity and precision in the wording of its contracts for the product; and no technical safeguards being applied to ensure data is only being used for providing and maintaining the service.

When the EDPS opened the investigation there was also no data transfer agreement in place between the bloc and the US, following the striking down of the EU-US Privacy Shield in July 2020.

A new transatlantic data transfer agreement was subsequently agreed and adopted, thee years later (July 2023). But for much of the period the EDPS was investigating the Commission’s use of Microsoft 365 there was no deal in place covering data transfers from the EU to the US. Yet use of Microsoft 365 routinely results in data flowing back to Microsoft’s servers in the US.

On data transfers, the EDPS found the Commission failed to ensure adequate safeguards were applied to these data exports to ensure essentially equivalent protections for data were in place once it left the bloc.

The data supervisor has ordered the Commission to suspend all data flows resulting from its use of Microsoft 365 to Microsoft and its affiliates and sub-processors located in countries outside the EU/EEA not covered by an EU adequacy decision on data transfers — again, with a deadline of December 9 for this.

It has also been ordered to carry out a data transfer-mapping exercise — identifying “what personal data are transferred to which recipients in which third countries, for which purposes and subject to which safeguards, including an onward transfers”. It must also ensure all transfers to non-EU countries without an adequacy decision take place “solely to allow tasks within the competence of the controller to be carried out”.

More broadly, the EDPS’ corrective measures require the Commission to fix its contracts with Microsoft — to ensure they contain the necessary contractual provisions, organizational measures and/or technical measures to ensure personal data is only collected for explicit and specified purposes; and “sufficiently determined” in relation to the purposes for which they are processed.

Data must also only be processed by Microsoft or its affiliates or sub-processors “on the Commission’s documented instructions”, per the order — unless it takes place within the region and processing is for a purpose that complies with EU or Member State law; or, if outside the region to be processed for another purpose under third-country law there must be essentially equivalent protection applied.

The contracts must also ensure there is no further processing of data — i.e. uses beyond the original purpose for which data is collected.

The EDPS found the Commission infringed the “purpose limitation” principle of applicable data protection rules by failing to sufficiently determine the types of personal data collected under the licensing agreement it concluded with Microsoft Ireland, meaning it was unable to ensure these were specific and explicit.

The EU also failed to provide sufficiently clear documented instructions to Microsoft regarding the processing; failed to ensure its processing was limited by instruction; and failed to assess the compliance of Microsoft’s further processing with the purpose initially stated for the collection, among other violations of the rules the EDPS identified.

Commenting in a statement, Wiewiórowski wrote:

It is the responsibility of the EU institutions, bodies, offices and agencies (EUIs) to ensure that any processing of personal data outside and inside the EU/EEA, including in the context of cloud-based services, is accompanied by robust data protection safeguards and measures. This is imperative to ensure that individuals’ information is protected, as required by Regulation (EU) 2018/1725, whenever their data is processed by, or on behalf of, an EUI.

Over the last few years, Microsoft has responded to amped up EU regulatory risk attached to data transfers by expanding a data localization effort focused on regional cloud customers — in an infrastructure it’s branded the “EU Data Boundary for the Microsoft Cloud”. However the technical infrastructure is still in the process of being rolled out. It also remains porous by design, with some data set to remaining accessible outside the EU even when the rollout is slated to be completed at the end of this year, per Microsoft.