The European Commission failed to safeguard the transfer of data being sent through the M365 app from the EU to other regions. Credit: Shutterstock The European Commission (EC) has violated several key data protection rules in its use of Microsoft 365 regarding the transfer of people’s personal data from Europe to other regions not covered by EU data-protection laws, a key European privacy watchdog found. The European Data Protection Supervisor (EDPS) on Tuesday chastized the EC after finding it did not take proper protective measures when sending personal data outside the EU and European Economic Area (EEA) when using the cloud-based app. In addition, the EC failed to specify in its contract with Microsoft “what types of personal data are to be collected and for which explicit and specified purposes when using Microsoft 365,” according to an EDPS statement. The findings — the result of a three-year investigation that began in 2021 — suggest like tech giants, even trusted government entities that should have data privacy as a top priority don’t necessarily keep the data they collect safe. “It is the responsibility of the EU institutions, bodies, offices, and agencies (EUIs) to ensure that any processing of personal data outside and inside the EU/EEA, including in the context of cloud-based services, is accompanied by robust data protection safeguards and measures,” EDPS Supervisor Wojciech Wiewiórowski said in a statement. Compliance required Specifically, the EC violated Regulation (EU) 2018/1725, the EU’s data protection law for EUIs. Moreover, many of the infringements concern “all processing operations carried out by the Commission, or on its behalf, when using Microsoft 365,” affecting “a large number of individuals,” according to the EDPS. As a result, the EDPS has ordered the commission to suspend all data flows resulting from its use of Microsoft 365 not only to Microsoft, but also to its affiliates and sub-processors located in countries outside the EU/EEA that don’t have an adequacy agreement with the EC. Typically, these agreements — which the EC has with various regions — dictate how the transfer of personal data is handled once it leaves the EU. This is to ensure that the data is protected under EU laws even when sent to another country where data-privacy laws differ. The EU has data adequacy agreements with 16 countries, including Argentina, Japan, South Korea, Switzerland, the UK, and the US. Aware that suspending a large number of data flows is complicated, the watchdog is giving the commission “appropriate time” to comply with the suspension so as not “to compromise the Commission’s ability to carry out its tasks in the public interest or to exercise official authority,” the EDPS said. Further, the EC has until Dec. 9 to demonstrate to the EDPS that all processing operations resulting from its use of Microsoft 365 are in compliance with Regulation (EU) 2018/1725. Is secure data a myth? Even the required compliance ultimately “might not change anything” unless it’sbacked “with either continuous enforcement or requirements on a more granular disclosure/audit,” said Narayana Pappu, CEO at Zendata, a provider of data security and privacy compliance solutions. That’s because securing data once it’s been transferred via the Internet — whether it’s collected by government entities, social-media companies, or online applications — is difficult, despite well-meaning attempts at regulation and protection by various regulatory bodies. “It is difficult to truly understand what happens with data once it’s collected,” Pappu said. The scenario becomes even more complicated with cloud-based applications, which “follow a microservice architecture with tens and even hundreds of third-party subprocessors,” he said. “It is difficult to really evaluate what is going on with the data and how it is being used.” Moreover, sometimes an entity collecting data online doesn’t even know the data is being shared, he said, citing a case in which DuckDuckGo, the search platform that prides itself on privacy, was unknowingly sharing information with Microsoft. “This was not obvious in their disclosures and did not come up until an investigation by a web expert,” Pappu said. Related content feature Windows 11 Insider Previews: What’s in the latest build? Get the latest info on new preview builds of Windows 11 as they roll out to Windows Insiders. Now updated for Build 22635.3566 for the Beta Channel, released on April 26, 2024. By Preston Gralla Apr 26, 2024 251 mins Small and Medium Business Microsoft Windows 11 news Dropbox adds end-to-end encryption for team folders Dropbox this week unveiled a range of features, including security updates and key management, and the ability to co-edit Microsoft 365 documents from within the file-sharing app. By Matthew Finnegan Apr 26, 2024 3 mins Cloud Storage Collaboration Software Productivity Software feature Android versions: A living history from 1.0 to 15 Explore Android's ongoing evolution with this visual timeline of versions, starting B.C. (Before Cupcake) and going all the way to 2024's Android 15 (beta) release. By JR Raphael Apr 26, 2024 23 mins Small and Medium Business Smartphones Android news analysis The unspoken obnoxiousness of Google's Gemini improvements Google's Gemini chatbot is seeing all sorts of upgrades on Android this week, but those advancements reveal a darker underlying reality. By JR Raphael Apr 26, 2024 12 mins Google Assistant Google Android Podcasts Videos Resources Events SUBSCRIBE TO OUR NEWSLETTER From our editors straight to your inbox Get started by entering your email address below. Please enter a valid email address Subscribe