The Euro­pean Commission’s use of Micro­soft 365

Euro­pean Data Pro­tec­tion Super­vi­sor suspects data pro­tec­tion violations

In March 2024, the Euro­pean Data Pro­tec­tion Super­vi­sor (EDPS) made public suspec­ted data pro­tec­tion vio­la­ti­ons in the use of Micro­soft 365 by the Euro­pean Com­mis­si­on. The EDPS’s assess­ment is dif­fi­cult to under­stand and for­t­u­na­te­ly has no direct impact on the use of Micro­soft 365 by data con­trol­lers in the Mem­ber Sta­tes. Howe­ver, the fin­dings of the EDPS could reig­ni­te the dis­cus­sion about the data protection-compliant use of Micro­soft 365 in Ger­ma­ny as well.

Fin­dings of the EDPS

The EDPS’s enga­ge­ment with Micro­soft 365 is not­hing new. Back in 2020, the EDPS con­duc­ted an inves­ti­ga­ti­on into the use of Micro­soft 365 by the EU insti­tu­ti­on and found alle­ged vio­la­ti­ons even then. The EDPS’s most recent cri­ti­cism rela­tes to the Euro­pean Commission’s 2021 Inter­in­sti­tu­tio­nal Licence Agree­ment (2021 ILA) and the Micro­soft Data Pro­ces­sing Agree­ment (DPA) con­tai­ned the­r­ein. In the opi­ni­on of the EDPS, this neither ensu­res the rest­ric­tion of data pro­ces­sing to spe­ci­fic pur­po­ses nor suf­fi­ci­ent data pro­tec­tion in data trans­fers to third count­ries and data sha­ring. In order to reme­dy the vio­la­ti­ons iden­ti­fied, the Euro­pean Com­mis­si­on is reques­ted to sus­pend all data flows from the use of Micro­soft 365 to Micro­soft and its affi­lia­tes and pro­ces­sors based in third count­ries that are not cover­ed by an ade­quacy decis­i­on pur­su­ant to Art. 47 (1) of Regu­la­ti­on (EU) 2018/1725 by 9 Decem­ber 2024. In addi­ti­on, the Euro­pean Com­mis­si­on should bring all pro­ces­sing ope­ra­ti­ons car­ri­ed out in con­nec­tion with the use of Micro­soft 365 into con­for­mi­ty with Regu­la­ti­on (EU) 2018/1725 and fur­nish appro­pria­te pro­of the­reof to the EDPS.

Assess­ment

The EDPS cites 12 May 2021 as the cut-off date for its fin­dings, but at the same time empha­si­s­es that the alle­ged vio­la­ti­ons still con­tin­ued until the decis­i­on of 8 March 2024. This fin­ding is some­what sur­pri­sing, as Micro­soft had mean­while made num­e­rous impro­ve­ments to its DPA in respon­se to cri­ti­cism from the Ger­man data pro­tec­tion super­vi­so­ry aut­ho­ri­ties. For ins­tance, as part of the intro­duc­tion and imple­men­ta­ti­on of the EU Data Boun­da­ry, detail­ed infor­ma­ti­on was made available on the data pro­ces­sed in third count­ries. In the Micro­soft Online Ser­vices Subpro­ces­sor List, Micro­soft now also pro­vi­des com­pre­hen­si­ve infor­ma­ti­on about the subpro­ces­sors enga­ged. Howe­ver, it is pos­si­ble that the­se num­e­rous impro­ve­ments have not been incor­po­ra­ted into the con­tracts bet­ween Micro­soft and the Euro­pean Commission.

It must also be poin­ted out that the data pro­tec­tion requi­re­ments impo­sed on the Euro­pean Com­mis­si­on are based on Regu­la­ti­on (EU) 2018/1725. Even though this Regu­la­ti­on is based on the GDPR, the assess­ment cri­te­ria are dif­fe­rent. Moreo­ver, the EDPS is not a ’super’ super­vi­so­ry aut­ho­ri­ty and has no aut­ho­ri­ty to issue ins­truc­tions to the Euro­pean Data Pro­tec­tion Board (EDPB) or the data pro­tec­tion super­vi­so­ry aut­ho­ri­ties of the Mem­ber Sta­tes. The fin­dings of the EDPS the­r­e­fo­re have no direct effect on the con­trol­lers in the Mem­ber Sta­tes and the­re are seve­ral reasons why the fin­dings should not be appli­ca­ble in sub­s­tance to the con­trol­lers in the Mem­ber States.

Recom­men­ded approach

Ger­man data con­trol­lers using Micro­soft 365 should not be deter­red by the fin­dings of the EDPS. The EDPS’s cri­ti­cism rela­tes to the con­tracts bet­ween Micro­soft and the Euro­pean Com­mis­si­on. A final assess­ment of Microsoft’s latest DPA (as of 2 Janu­ary 2024) by the Data Pro­tec­tion Con­fe­rence is still pen­ding. Moreo­ver, in our expe­ri­ence, legal assess­ments that devia­te from the rest­ric­ti­ve view of the Ger­man data pro­tec­tion super­vi­so­ry aut­ho­ri­ties and the EDPS are per­fect­ly tenable. The­r­e­fo­re, data con­trol­lers that imple­ment com­pre­hen­si­ve docu­men­ta­ti­on and assess­ment of the risks as well as sui­ta­ble reme­di­al mea­su­res need not fear dis­cus­sions with the data pro­tec­tion super­vi­so­ry aut­ho­ri­ties or legal pro­cee­dings. With this in mind, it is also to be hoped that the Euro­pean Com­mis­si­on will bring about a judi­cial cla­ri­fi­ca­ti­on of the EDPS’s findings.