EU Commission Faces Scrutiny Over Microsoft 365 Data Breach: EDPS Imposes Corrective Measures

microsoft, logo, ms-80660.jpgIntroduction 

An inquiry into the European Union’s utilization of Microsoft 365 has concluded that the Commission violated the bloc’s data protection regulations in its adoption of the cloud-based productivity software. The European Data Protection Supervisor (EDPS) announced its findings through a press release, stating that the Commission breached “several crucial data protection rules while employing Microsoft 365”. Following the investigation, the EDPS determined that the European Commission (Commission) had indeed contravened several key data protection regulations in its usage of Microsoft 365. As a result, the EDPS has mandated corrective actions to be implemented by the Commission.

The EDPS discovered that the Commission had violated multiple provisions outlined in Regulation (EU) 2018/1725, which is the EU’s data protection legislation for EU institutions, bodies, offices, and agencies (EUIs). These breaches include those concerning the transfer of personal data outside the EU/European Economic Area (EEA). 

Specifically, the Commission failed to establish adequate safeguards ensuring that personal data transferred outside the EU/EEA received a level of protection essentially equivalent to that guaranteed within the EU/EEA. Moreover, the Commission’s contract with Microsoft lacked sufficient specification regarding the types of personal data to be collected and the explicit, specified purposes for which they would be used within Microsoft 365. Additionally, the Commission’s infringements as a data controller extend to data processing activities, including the transfer of personal data conducted on its behalf.

Background 

The EDPS initiated an investigation into the European Commission’s utilization of Microsoft 365 in May 2021, prompted by the Schrems II judgment. The primary objective of this investigation was to assess the Commission’s adherence to the Recommendations previously provided by the EDPS regarding the utilization of Microsoft’s products and services by EU institutions and bodies. This inquiry forms part of the broader efforts undertaken by the EDPS within the framework of its involvement in the 2022 Coordinated Enforcement Action of the European Data Protection Board.

The European Data Protection Supervisor (EDPS) has found the European Commission in violation of various provisions of Regulation (EU) 2018/1725, citing multiple infringements related to the handling of personal data under the 2021 Interinstitutional Licensing Agreement (2021 ILA) with Microsoft Ireland. 

The EDPS investigation covers the period from 12 May 2021 to 8 March 2024, outlining specific breaches that have implications for the protection of individuals’ privacy and the lawful processing of their data.

Infrigements 

Purpose limitation 

Purpose Limitation (Article 4(1)(b) of Regulation (EU) 2018/1725): 

 

  1. The Commission failed to sufficiently determine the types of personal data collected under the 2021 ILA for each processing purpose, hindering the specification and explicitness of those purposes.
  2. The Commission did not ensure that the purposes for Microsoft’s collection of personal data under the 2021 ILA were clearly specified and explicit.

Insufficient Determination and Lack of Documentation (Article 29(3)(a) of Regulation (EU) 2018/1725):

  1. The 2021 ILA did not adequately determine which types of personal data were to be processed for specific purposes.
  2. The Commission failed to provide sufficiently clear and documented instructions for the processing of personal data as required by Article 29(3)(a).

Failure to Ensure Documented Instructions (Articles 4(2), 26(1), and 30 of Regulation (EU) 2018/1725):

  1. The Commission violated Articles 4(2) and 26(1) in conjunction with Article 30 by neglecting to ensure that Microsoft processed personal data solely based on documented instructions from the Commission.
Inadequate Assessment of Compatibility (Article 6 of Regulation (EU) 2018/1725):
 
  1. The Commission neglected to assess whether the purposes for further processing of personal data were compatible with the initial purposes for which the data were collected.

Failure to Assess Necessity and Proportionality (Article 9 of Regulation (EU) 2018/1725): 

  1. The Commission infringed Article 9 by not assessing the necessity and proportionality of transmitting personal data to Microsoft Ireland and its sub-processors within the EEA for a specific purpose in the public interest.

Transfers of perssonal data outside the EU/EEA 

Failure to Clearly Specify Data Transfers (Article 29(3)(a) of Regulation (EU) 2018/1725):
 
  1. The Commission infringed Article 29(3)(a) by not clearly outlining in the 2021 ILA the types of personal data that could be transferred to third countries, the recipients in those countries, and the purposes for such transfers. Additionally, it failed to provide documented instructions to Microsoft regarding these transfers.
Lack of Appropriate Safeguards (Articles 4(2), 46, and 48 of Regulation (EU) 2018/1725):
 
  1. The Commission violated several articles by failing to provide adequate safeguards to ensure that data transferred outside the EEA enjoyed an essentially equivalent level of protection.
  2. It neglected to appraise what personal data would be transferred, to whom, and for what purposes, thus lacking essential information necessary to determine the need for supplementary measures.
  3. Effective supplementary measures for transfers to the United States were not implemented prior to the US adequacy decision, nor was there evidence of their existence.
  4. The Commission failed to ensure that transfers to third countries, particularly to the United States, complied with the standards set in the Schrems II judgment.
Inadequate Implementation of Standard Contractual Clauses (SCCs) (Articles 4(2), 46, and 48(1) and (3)(a) of Regulation (EU) 2018/1725):
 
  1. The Commission concluded SCCs for transfers to Microsoft Corporation without clearly mapping the proposed transfers, conducting a transfer impact assessment, or including appropriate safeguards.
  2. It did not obtain authorization from the EDPS for these SCCs, as required by Article 48(3)(a) of Regulation (EU) 2018/1725.
Failure to Ensure Transfers for Competence-Based Tasks (Article 47(1) of Regulation (EU) 2018/1725):
 
  1. The Commission breached Article 47(1) by failing to ensure that transfers of personal data outside the EEA were solely for tasks within the competence of the controller.

Unauthorised disclosures of personal data

Failure to Ensure Legal Basis for Non-Disclosure (Article 29(3)(a) of Regulation (EU) 2018/1725):
 
  1. The Commission violated Article 29(3)(a) by not ensuring that, for personal data processed within the EEA, only EU or Member State law prohibits notification to the Commission of a request for disclosure. Moreover, for personal data processed outside the EEA, the Commission failed to ensure that any prohibition of notification constitutes a necessary and proportionate measure, respecting fundamental rights and freedoms recognized by the Charter, as per the interpretation in the Schrems II judgment.
Failure to Assess Third Country Legislation and Implement Protective Measures (Articles 4(1)(f), 33(1) and (2), and 36 of Regulation (EU) 2018/1725):
 
  1. The Commission breached several articles by neglecting to assess the legislation of all third countries to which personal data were envisaged to be transferred under the 2021 ILA.
  2. It failed to ensure that Microsoft and its sub-processors did not make unauthorized disclosures of personal data within and outside of the EEA, contrary to EU law.
  3. Effective technical and organizational measures were not implemented to ensure processing in accordance with the principle of integrity and confidentiality within and outside the EEA, as required to maintain an essential equivalence of the level of protection

Analysis

The European Data Protection Supervisor (EDPS) has initiated an investigation into the European Commission’s use of Microsoft 365 and other U.S. cloud services. The investigation, which began in May 2021, centers around concerns regarding Microsoft’s handling of user data, including issues related to the legal basis for data processing, contract clarity, and lack of technical safeguards to ensure data is used only for intended purposes.

One significant aspect of the investigation is the absence of a data transfer agreement between the EU and the U.S. following the invalidation of the EU-U.S. Privacy Shield in July 2020. This absence meant that for a considerable period, data transfers from the EU to the U.S., which occur routinely due to the use of Microsoft 365, lacked adequate safeguards. The EDPS found that the European Commission failed to ensure equivalent data protections once data left the EU.

As a result of these findings, the EDPS has ordered the European Commission to suspend all data flows resulting from its use of Microsoft 365 to Microsoft and its affiliates and sub-processors located outside the EU/EEA, without an adequacy decision on data transfers. Additionally, the Commission must conduct a thorough data transfer-mapping exercise to identify the personal data transferred, recipients, purposes, and safeguards. Any transfers to non-EU countries without an adequacy decision must be solely for tasks within the controller’s competence.
 
Despite regulatory pressure and heightened risks associated with data transfers, Microsoft has responded by expanding its data localization efforts for European cloud customers through the “EU Data Boundary for the Microsoft Cloud” infrastructure. However, this infrastructure is still being rolled out and remains porous, allowing some data to remain accessible outside the EU even after completion, as confirmed by Microsoft.
 

Outcome

In response to the investigation into the European Commission’s use of Microsoft 365 and other U.S. cloud services, the European Data Protection Supervisor (EDPS) has issued several orders and corrective measures. Effective from December 9, 2024, the Commission is ordered to suspend all data flows resulting from its use of Microsoft 365 to Microsoft and its affiliates and sub-processors located outside the EU/EEA, unless covered by an adequacy decision. Additionally, the Commission is required to bring its processing operations in compliance with Regulation (EU) 2018/1725 by the same date. 
 

Corrective measures

The European Data Protection Supervisor (EDPS) has determined the following corrective measures in response to the identified infringements:
 
Data Flow Suspension (Article 58(2)(j) of Regulation (EU) 2018/1725):
 
  1. The Commission is ordered to suspend all data flows resulting from its use of Microsoft 365 to Microsoft and its affiliates and sub-processors located in third countries not covered by an adequacy decision, effective from December 9, 2024.
  2. The Commission must demonstrate the effective implementation of this suspension.
Compliance with Processing Operations (Article 58(2)(e) of Regulation (EU) 2018/1725) by December 9, 2024:
 
  1. A transfer-mapping exercise must be conducted to identify the personal data transferred to recipients in third countries, specifying purposes and safeguards, including onward transfers.
  2. All transfers to third countries should occur solely to allow tasks within the competence of the controller to be carried out.
  3. The Commission is required to ensure, through contractual provisions and organizational and technical measures, that:
  • Personal data are collected for explicit and specified purposes.
  • Types of personal data are sufficiently determined in relation to processing purposes.
  • Processing by Microsoft or its affiliates or sub-processors aligns with the Commission’s documented instructions, or, for processing outside the EEA, complies with third-country laws ensuring a level of protection equivalent to that in the EEA.
  • Personal data are not further processed in a manner incompatible with the collected purposes.
  • Transmissions to Microsoft Ireland or its affiliates and sub-processors in the EEA comply with Article 9 of Regulation (EU) 2018/1725.
  • For personal data processed outside the EEA, any prohibition on notification to the Commission constitutes a necessary and proportionate measure respecting fundamental rights and freedoms.
  • Disclosures of personal data by Microsoft or its sub-processors only occur if required by EU or Member State law or, for personal data processed outside the EEA, third-country laws ensuring a level of protection equivalent to that in the EEA.
Reprimand Issuance (Article 58(2)(b) of Regulation (EU) 2018/1725): 
  1. A reprimand is issued to the Commission for the identified infringements. These corrective measures are imposed to address the compliance issues identified by the EDPS, assuming the Commission continues to utilize Microsoft’s cloud suite.

Author: Kosha Doshi, Final Year Student at Symbiosis Law School Pune and Legal Intern Data Privacy and Digital Law at Eu Digital Partners 
Kosha is also a co-author of “Facial Recognition at CrossRoads: Policy Perspectives on Disruption and Innovation

At the Closing the Gap 2023 | Emerging and Disruptive Technologies: Regional Perspectives Conference in the Hague, Netherlands.