The European Protection Supervisory Authority (EDPS) has concluded that the European Commission’s use of Microsoft 365 violates several EU data provisions covering the transfer of personal data outside the EU/EAA.
These regulations only apply to data handling by EU institutions and related transparency requirements.
According to a three-year study, EDPS states that “in its contract with Microsoft, the European Commission will clarify what types of personal data it collects when using Microsoft 365 and whether it is collected for explicit and specific purposes. It was not sufficiently specified as to whether or not to do so.”
EDPS has determined that the European Commission has not put in place adequate safeguards to ensure that personal data transferred outside the EU/EEA is afforded the same level of protection as is guaranteed within the EU/EEA. .
The Commission noted that “the Commission’s infringement as a data controller also relates to data processing, including the transfer of personal data, carried out on behalf of the Commission.”
The watchdog told the European Commission to “suspend all data flows through the use of Microsoft 365 to Microsoft and its affiliates and subprocessors located in countries not subject to the adequacy decision. “Do it,” he ordered.
The Commission has until December 9, 2024 to demonstrate compliance with this EDPS Directive.
Following the EDPS ruling, a Microsoft spokesperson told Reuters: “The concerns raised by the European Data Protection Supervisor are primarily related to transparency under the EUDPR, a law that applies only to institutions in the European Union. “It has to do with stricter requirements.”
A spokesperson said the directives and regulations only apply to EU institutions and users can continue to use Microsoft 365 as is.
EDPS Wojciech Wiewiórowski said in a press release: “It is the responsibility of EU institutions, bodies, authorities and institutions (EUIs) to ensure that personal data is processed within and outside the EU/EEA. Cloud-based services are equipped with strong data protection safeguards and measures. accompanies.”
“This is essential to ensure that whenever personal data is processed by or on behalf of the EUI, the information of individuals is protected as required by Regulation (EU) 2018/1725 ” he added.
talk to stackJavvad Malik, Head of Security Awareness at KnowBe4, said the situation highlights the complexity and operational challenges organizations face in maintaining compliance with data protection regulations such as GDPR. .
“The stringent remedial actions requested by the European Commission, including the suspension of certain data flows and comprehensive transfer mapping exercises, demonstrate the seriousness with which these regulations will be implemented,” Malik said. .
“The takeaway for cybersecurity professionals and organizations at large is clear: Compliance is not a one-time task; it is an ongoing effort that requires constant vigilance, assessment, and adaptation,” he added. Ta.
