European Commission’s Use of Microsoft 365 Violated Data Protection Rules Finds Investigation
EU’s privacy watchdog has found the European Commission (EC) violated data protection rules by using Microsoft’s products. Find out more about the nature of the infraction and its implications for EC operations going forward.
- The European Data Protection Supervisor (EDPS) has found that the European Commission violated data protection rules by using the Microsoft 365 suite.
- The violations are related to the protection and processing of personal data in EU institutions and safeguards for the rights to privacy of individuals in the region.
An investigation by the European Data Protection Supervisor (EDPS) into the European Commission’s (EC) use of the Microsoft 365 Suite has found that the latter has violated data protection regulations by using the software. The violations are related to regulations controlling the protection of personal data in agencies, offices, and institutions within the EU and the right to privacy for individuals.
According to the EDPS report, the European Commission was negligent in setting up adequate protections to control the transfer of personal data outside the European Economic Area. The EC did not specify what types of personal data could be collected and processed in Microsoft 365 in its contract with the company.
See More: Russia-Based SolarWinds Hackers are Actively Targeting Microsoft
The European Commission frequently uses Microsoft 365’s cloud and collaboration services, including applications such as OneDrive, Teams, Excel, Word, Outlook, and PowerPoint. However, all EU entities are responsible for ensuring that the collection and processing of personal data can be carried out only with the presence of adequate data protection measures.
Following the investigation’s revelations, the EDPS has sent instructions on corrective measures. This includes stopping the transmission of data from Microsoft products to non-EU countries without the presence of safeguards. In addition, the EC will also have to limit data transfers to third countries without adequately studying controller competence and conducting transfer mapping exercises.
A spokesperson for the European Commission spoke about the matter, stating the need to analyze the investigation’s conclusions. He also raised concerns that complying with the EDPS judgment would hurt the efficacy of existing mobile and integrated services, which are linked not only to Microsoft but also to several other IT service providers.
While the EDPS has given the European Commission time to make changes in line with regulations, it remains to be seen to what extent the EC will comply and whether further actions will be taken.
What do you think about the European Union’s data protection regulations? Let us know your thoughts on LinkedIn, X, or Facebook. We’d love to hear from you!
Image source: Shutterstock