Standards, Regulations & Compliance
March Decision Mandated Commission to Stem Data Flows From Its Office 365 Use
The European Commission is appealing a March decision by a continental data regulator that found the commission’s use of Microsoft Office apps violated Regulation (EU) 2018/1725.
See Also: Webinar | Mythbusting MDR
The European Data Protection Supervisor gave the European Commission until early December to ensure that data generated through its use of Microsoft 365 products stay within the European Union or in countries with a comparable privacy regime.
An EDPS spokesperson confirmed Friday that the commission and Microsoft have each appealed the regulator’s decision. Neither party responded immediately to a request for comment.
The EDPS decision was the outcome of an investigation launched in 2021, prior to the adoption of the EU-U.S. Data Privacy Framework in 2023 – a legal framework meant to allow for the free transfer of commercial data across the Atlantic Ocean. “The commission did not sufficiently specify what types of personal data are to be collected and for which explicit and specified purposes when using Microsoft 365. The commission’s infringements as data controller also relate to data processing, including transfers of personal data, carried out on its behalf,” the EDPS said.
The agency launched the probe during a period when a trans-Atlantic data flow agreement was not active following a European Court of Justice ruling in July 2020 known as Schrems II invalidated the framework’s predecessor, known as the Privacy Shield.
The court found that Europeans’ data was subject to invasive U.S. intelligence surveillance, making data transfers to the United States illegal. The European Commission approved the framework last July after obtaining key commitments from the United States, including a pledge to keep intelligence gathering on Europeans proportional to national security. The U.S. Department of Justice also agreed to review European claims that personal information had been wrongly gathered up by U.S. intelligence agencies.
A commission spokesperson said in March that the EDPS decision would undermine its “mobile and integrated IT services.” The spokesperson also said the commission would analyze the decision and its “underlying reasons” before taking any steps.
If it goes into effect, the EDPS decision would essentially force the commission to switch from cloud service to on-premises infrastructure, said Theodore Christakis, a professor of data protection law at the Université Grenoble Alpes in France. He said the step is “practically impossible” due to the size of the organization.
“Even if possible, this switch would expose the commission to major issues, including reduced cybersecurity and the inability to use essential services only available on the cloud,” Christakis said.
Microsoft has repeatedly maintained that it has not “provided EU public sector customer data to any government.” Following heightened EU scrutiny, the company earlier this year unveiled its phased plan to locally store all personal data, such as automated system logs of its European cloud customers.