news
European Commission’s use of Microsoft 365 violates privacy laws
According to an investigation report, the European Commission (EC) found that the use of Microsoft 365 services violated European Union data protection regulations.
As announced this week, the submission came from the European Data Protection Supervisory Authority (PDF). When using Microsoft 365 services, the EC’s contract with Microsoft did not specify what data could be collected and for what purpose. The EC also did not have safeguards in place for data transfers outside the European Union.
The European Data Protection Supervisor has now ordered the EC to bring the use of Microsoft 365 services into compliance with EU data protection regulations. Non-compliant Microsoft 365 data flows will be stopped “starting December 9, 2024.”
The EC’s failure to ensure safeguards when contracting for the use of Microsoft 365 services occurred over a three-year period. The violations date back to “May 12, 2021” and continued until “March 8, 2024,” the date of the European Data Protection Supervisor’s decision.
The announcement did not indicate that Microsoft itself is not compliant with EU data protection laws. Rather, the supervisor faulted the EC for not contractually specifying how data should be processed using Microsoft 365 services.
The European Data Protection Supervisor is an independent body empowered to carry out data protection audits and take corrective measures in accordance with the implementation of EU Regulation 2018/1725 on the processing of personal data. As explained in the FAQ document, in particular she has audit and remedial duties with respect to EU institutions.
About the author
Kurt Mackie is a senior news producer in 1105 Media’s Converge360 group.
