EC’s use of Microsoft 365 violates data-privacy rules, watchdog group says

The European Commission (EC) has violated several key data protection rules in its use of Microsoft 365 regarding the transfer of people’s personal data from Europe to other regions not covered by EU data-protection laws, a key European privacy watchdog found.

The European Data Protection Supervisor (EDPS) on Tuesday chastized the EC after finding it did not take proper protective measures when sending personal data outside the EU and European Economic Area (EEA) when using the cloud-based app.

In addition, the EC failed to specify in its contract with Microsoft “what types of personal data are to be collected and for which explicit and specified purposes when using Microsoft 365,” according to an EDPS statement.

The findings — the result of a three-year investigation that began in 2021 — suggest like tech giants, even trusted government entities that should have data privacy as a top priority don’t necessarily keep the data they collect safe.  

“It is the responsibility of the EU institutions, bodies, offices, and  agencies (EUIs) to ensure that any processing of personal data outside and inside the EU/EEA, including in the context of cloud-based services, is accompanied by robust data protection safeguards and measures,” EDPS Supervisor Wojciech Wiewiórowski said in a statement.

Compliance required

Specifically, the EC violated Regulation (EU) 2018/1725, the EU’s data protection law for EUIs. Moreover, many of the infringements concern “all processing operations carried out by the Commission, or on its behalf, when using Microsoft 365,” affecting “a large number of individuals,” according to the EDPS.

As a result, the EDPS has ordered the commission to suspend all data flows resulting from its use of Microsoft 365 not only to Microsoft, but also to its affiliates and sub-processors located in countries outside the EU/EEA that don’t have an adequacy agreement with the EC.

Typically, these agreements — which the EC has with various regions — dictate how the transfer of personal data is handled once it leaves the EU. This is to ensure that the data is protected under EU laws even when sent to another country where data-privacy laws differ. The EU has data adequacy agreements with 16 countries, including Argentina, Japan, South Korea, Switzerland, the UK, and the US.

Aware that suspending a large number of data flows is complicated, the watchdog is giving the commission “appropriate time” to comply with the suspension so as not “to compromise the Commission’s ability to carry out its tasks in the public interest or to exercise official authority,” the EDPS said.

Further, the EC has until Dec. 9 to demonstrate to the EDPS that all processing operations resulting from its use of Microsoft 365 are in compliance with Regulation (EU) 2018/1725.

Is secure data a myth?

Even the required compliance ultimately “might not change anything” unless it’sbacked “with either continuous enforcement or requirements on a more granular disclosure/audit,”  said Narayana Pappu, CEO at Zendata, a provider of data security and privacy compliance solutions.

That’s because securing data once it’s been transferred via the Internet — whether it’s collected by government entities, social-media companies, or online applications — is difficult, despite well-meaning attempts at regulation and protection by various regulatory bodies. “It is difficult to truly understand what happens with data once it’s collected,” Pappu said.

The scenario becomes even more complicated with cloud-based applications, which “follow a microservice architecture with tens and even hundreds of third-party subprocessors,” he said. “It is difficult to really evaluate what is going on with the data and how it is being used.”

Moreover, sometimes an entity collecting data online doesn’t even know the data is being shared, he said, citing a case in which DuckDuckGo, the search platform that prides itself on privacy, was unknowingly sharing information with Microsoft.

“This was not obvious in their disclosures and did not come up until an investigation by a web expert,” Pappu said.