European Data Protection Supervisor suspects data protection violations
In March 2024, the European Data Protection Supervisor (EDPS) made public suspected data protection violations in the use of Microsoft 365 by the European Commission. The EDPS’s assessment is difficult to understand and fortunately has no direct impact on the use of Microsoft 365 by data controllers in the Member States. However, the findings of the EDPS could reignite the discussion about the data protection-compliant use of Microsoft 365 in Germany as well.
Findings of the EDPS
The EDPS’s engagement with Microsoft 365 is nothing new. Back in 2020, the EDPS conducted an investigation into the use of Microsoft 365 by the EU institution and found alleged violations even then. The EDPS’s most recent criticism relates to the European Commission’s 2021 Interinstitutional Licence Agreement (2021 ILA) and the Microsoft Data Processing Agreement (DPA) contained therein. In the opinion of the EDPS, this neither ensures the restriction of data processing to specific purposes nor sufficient data protection in data transfers to third countries and data sharing. In order to remedy the violations identified, the European Commission is requested to suspend all data flows from the use of Microsoft 365 to Microsoft and its affiliates and processors based in third countries that are not covered by an adequacy decision pursuant to Art. 47 (1) of Regulation (EU) 2018/1725 by 9 December 2024. In addition, the European Commission should bring all processing operations carried out in connection with the use of Microsoft 365 into conformity with Regulation (EU) 2018/1725 and furnish appropriate proof thereof to the EDPS.
Assessment
The EDPS cites 12 May 2021 as the cut-off date for its findings, but at the same time emphasises that the alleged violations still continued until the decision of 8 March 2024. This finding is somewhat surprising, as Microsoft had meanwhile made numerous improvements to its DPA in response to criticism from the German data protection supervisory authorities. For instance, as part of the introduction and implementation of the EU Data Boundary, detailed information was made available on the data processed in third countries. In the Microsoft Online Services Subprocessor List, Microsoft now also provides comprehensive information about the subprocessors engaged. However, it is possible that these numerous improvements have not been incorporated into the contracts between Microsoft and the European Commission.
It must also be pointed out that the data protection requirements imposed on the European Commission are based on Regulation (EU) 2018/1725. Even though this Regulation is based on the GDPR, the assessment criteria are different. Moreover, the EDPS is not a ‘super’ supervisory authority and has no authority to issue instructions to the European Data Protection Board (EDPB) or the data protection supervisory authorities of the Member States. The findings of the EDPS therefore have no direct effect on the controllers in the Member States and there are several reasons why the findings should not be applicable in substance to the controllers in the Member States.
Recommended approach
German data controllers using Microsoft 365 should not be deterred by the findings of the EDPS. The EDPS’s criticism relates to the contracts between Microsoft and the European Commission. A final assessment of Microsoft’s latest DPA (as of 2 January 2024) by the Data Protection Conference is still pending. Moreover, in our experience, legal assessments that deviate from the restrictive view of the German data protection supervisory authorities and the EDPS are perfectly tenable. Therefore, data controllers that implement comprehensive documentation and assessment of the risks as well as suitable remedial measures need not fear discussions with the data protection supervisory authorities or legal proceedings. With this in mind, it is also to be hoped that the European Commission will bring about a judicial clarification of the EDPS’s findings.
Further information on this is available at
Onepager on data protection compliance with Microsoft 365 [PDF]
Update: Data protection with Microsoft 365
Data Protection Conference begins reassessment of Microsoft 365
Guidelines for Microsoft 365 – Data protection supervisory authorities to publish “practical tips”
Microsoft 365: More data protection through the EU Data Boundary!“
Microsoft 365 Response and prevention to requests from authorities“