The European Data Protection Supervisor (EDPS) has investigated the European Commission 's use of Microsoft 365 and found several violations of data protection rules. Following its investigation, the EDPS found that the European Commission had breached several provisions of Regulation (EU) 2018/1725, the EU's data protection law for EU institutions, bodies, offices, and agencies (EUIs).

Among the violations were inadequacies in safeguarding personal data transferred outside the EU/European Economic Area (EEA) to ensure an equivalent level of protection and a lack of specification regarding the types of personal data collected by Microsoft and the purposes for which they were collected under the contract between the Commission and Microsoft. In response to these findings, the EDPS has imposed corrective measures on the Commission, including the suspension of data flows to Microsoft and its affiliates and sub-processors located outside the EU/EEA without adequacy decisions. The Commission is also required to bring its processing operations resulting from the use of Microsoft 365 into compliance with EU data protection regulations by December 9, 2024.

Failure to comply with these orders could result in further actions by the EDPS. The EDPS clarified that these measures aim to address the seriousness and duration of the infringements found, which impact a significant number of individuals. However, the EDPS also considers the Commission's need to fulfill its tasks in the public interest and exercise its official authority.

Therefore, the Commission has been granted time to implement the necessary changes while ensuring the continuity of its operations. The decision is part of ongoing efforts to uphold data protection standards within EU institutions. The investigation into the Commission's use of Microsoft 365 began in May 2021 following the Schrems II judgment and is part of the EDPS' participation in the 2022 Coordinated Enforcement Action of the European Data Protection Board (EDPB).

EU data protection supervisor imposes corrective measures on European Commission The corrective measures specified by the EDPS include a range of actions for the Commission to undertake. These include identifying and specifying the types of personal data transferred, ensuring transfers occur solely for tasks within the Commission's authority, and implementing contractual provisions to govern data processing by Microsoft and its affiliates. Furthermore, the Commission must assess the necessity and proportionality of data transmissions to Microsoft Ireland and its sub-processors in the EEA.

Besides, the EDPS has issued a reprimand to the Commission for all infringements found. Among the violations identified are failures to sufficiently specify collected personal data types and processing purposes under the 2021 Interinstitutional Licensing Agreement (ILA) with Microsoft Ireland. Additionally, the Commission did not provide clear instructions for processing personal data and failed to assess the compatibility of further data processing with initial purposes.

The EDPS has also determined that the Commission infringed regulations by failing to provide clear instructions on data transfers to third countries, ensure adequate safeguards for data protection outside the EU/EEA, and obtain authorisation for standard contractual clauses (SCCs) used in data transfers to Microsoft Corporation. The Commission violated regulations by not ensuring that only EU or Member State law prohibits notification to the Commission of requests for disclosure of personal data processed in the EEA. Additionally, it failed to assess the legislation of third countries where personal data transfers were planned, leading to unauthorized disclosures by Microsoft and its sub-processors.

.