The Euro­pean Commission’s use of Micro­soft 365

Euro­pean Data Pro­tec­tion Super­vi­sor suspects data pro­tec­tion violations

In March 2024, the Euro­pean Data Pro­tec­tion Super­vi­sor (EDPS) made public suspec­ted data pro­tec­tion vio­la­ti­ons in the use of Micro­soft 365 by the Euro­pean Com­mis­si­on. The EDPS’s assess­ment is dif­fi­cult to under­stand and for­t­u­na­te­ly has no direct impact on the use of Micro­soft 365 by data con­trol­lers in the Mem­ber Sta­tes. Howe­ver, the fin­dings of the EDPS could reig­ni­te the dis­cus­sion about the data protection-compliant use of Micro­soft 365 in Ger­ma­ny as well.

Fin­dings of the EDPS

The EDPS’s enga­ge­ment with Micro­soft 365 is not­hing new. Back in 2020, the EDPS con­duc­ted an inves­ti­ga­ti­on into the use of Micro­soft 365 by the EU insti­tu­ti­on and found alle­ged vio­la­ti­ons even then. The EDPS’s most recent cri­ti­cism rela­tes to the Euro­pean Commission’s 2021 Inter­in­sti­tu­tio­nal Licence Agree­ment (2021 ILA) and the Micro­soft Data Pro­ces­sing Agree­ment (DPA) con­tai­ned the­r­ein. In the opi­ni­on of the EDPS, this neither ensu­res the rest­ric­tion of data pro­ces­sing to spe­ci­fic pur­po­ses nor suf­fi­ci­ent data pro­tec­tion in data trans­fers to third count­ries and data sha­ring. In order to reme­dy the vio­la­ti­ons iden­ti­fied, the Euro­pean Com­mis­si­on is reques­ted to sus­pend all data flows from the use of Micro­soft 365 to Micro­soft and its affi­lia­tes and pro­ces­sors based in third count­ries that are not cover­ed by an ade­quacy decis­i­on pur­su­ant to Art. 47 (1) of Regu­la­ti­on (EU) 2018/1725 by 9 Decem­ber 2024. In addi­ti­on, the Euro­pean Com­mis­si­on should bring all pro­ces­sing ope­ra­ti­ons car­ri­ed out in con­nec­tion with the use of Micro­soft 365 into con­for­mi­ty with Regu­la­ti­on (EU) 2018/1725 and fur­nish appro­pria­te pro­of the­reof to the EDPS.


The EDPS cites 12 May 2021 as the cut-off date for its fin­dings, but at the same time empha­si­s­es that the alle­ged vio­la­ti­ons still con­tin­ued until the decis­i­on of 8 March 2024. This fin­ding is some­what sur­pri­sing, as Micro­soft had mean­while made num­e­rous impro­ve­ments to its DPA in respon­se to cri­ti­cism from the Ger­man data pro­tec­tion super­vi­so­ry aut­ho­ri­ties. For ins­tance, as part of the intro­duc­tion and imple­men­ta­ti­on of the EU Data Boun­da­ry, detail­ed infor­ma­ti­on was made available on the data pro­ces­sed in third count­ries. In the Micro­soft Online Ser­vices Subpro­ces­sor List, Micro­soft now also pro­vi­des com­pre­hen­si­ve infor­ma­ti­on about the subpro­ces­sors enga­ged. Howe­ver, it is pos­si­ble that the­se num­e­rous impro­ve­ments have not been incor­po­ra­ted into the con­tracts bet­ween Micro­soft and the Euro­pean Commission.

It must also be poin­ted out that the data pro­tec­tion requi­re­ments impo­sed on the Euro­pean Com­mis­si­on are based on Regu­la­ti­on (EU) 2018/1725. Even though this Regu­la­ti­on is based on the GDPR, the assess­ment cri­te­ria are dif­fe­rent. Moreo­ver, the EDPS is not a ’super’ super­vi­so­ry aut­ho­ri­ty and has no aut­ho­ri­ty to issue ins­truc­tions to the Euro­pean Data Pro­tec­tion Board (EDPB) or the data pro­tec­tion super­vi­so­ry aut­ho­ri­ties of the Mem­ber Sta­tes. The fin­dings of the EDPS the­r­e­fo­re have no direct effect on the con­trol­lers in the Mem­ber Sta­tes and the­re are seve­ral reasons why the fin­dings should not be appli­ca­ble in sub­s­tance to the con­trol­lers in the Mem­ber States.

Recom­men­ded approach

Ger­man data con­trol­lers using Micro­soft 365 should not be deter­red by the fin­dings of the EDPS. The EDPS’s cri­ti­cism rela­tes to the con­tracts bet­ween Micro­soft and the Euro­pean Com­mis­si­on. A final assess­ment of Microsoft’s latest DPA (as of 2 Janu­ary 2024) by the Data Pro­tec­tion Con­fe­rence is still pen­ding. Moreo­ver, in our expe­ri­ence, legal assess­ments that devia­te from the rest­ric­ti­ve view of the Ger­man data pro­tec­tion super­vi­so­ry aut­ho­ri­ties and the EDPS are per­fect­ly tenable. The­r­e­fo­re, data con­trol­lers that imple­ment com­pre­hen­si­ve docu­men­ta­ti­on and assess­ment of the risks as well as sui­ta­ble reme­di­al mea­su­res need not fear dis­cus­sions with the data pro­tec­tion super­vi­so­ry aut­ho­ri­ties or legal pro­cee­dings. With this in mind, it is also to be hoped that the Euro­pean Com­mis­si­on will bring about a judi­cial cla­ri­fi­ca­ti­on of the EDPS’s findings.


Stay up-to-date

We use your email address exclusively for sending our newsletter. You have the right to revoke your consent at any time with effect for the future. For further information, please refer to our privacy policy.