The European Data Protection Supervisor (EDPS) warned the European Commission for its use of Microsoft software, citing serious breaches of data protection rules.
The Commission's dependence on Microsoft 365, a suite of essential tools including Word documents, Excel spreadsheets, PowerPoint presentations, and Outlook emails, has come under heavy scrutiny following an EDPS probe.
EU Commission's Breach of Data Protection Rules
According to the EDPS, the European Commission failed to implement adequate safeguards and comply with Regulation (EU) 2018/1725, the EU's data protection law for EU institutions, notably regarding data transfers beyond the European Union.
"It is the responsibility of the EU institutions, bodies, offices and agencies (EUIs) to ensure that any processing of personal data outside and inside the EU/EEA, including in the context of cloud-based services, is accompanied by robust data protection safeguards and measures," Wojciech Wiewiórowski, EDPS, said.
According to the watchdog, the contract between the Commission and Microsoft did not specify the types of personal data collected and the explicit uses for which they were intended.
In response to the findings, the EDPS directed the Commission to halt all data flows from its usage of Microsoft 365 to Microsoft and its affiliates in countries outside the EU/EEA not covered by an adequacy decision.
This directive is significant given the EU's data adequacy agreements with 16 countries, including Argentina, Japan, South Korea, Switzerland, Britain, and the United States.
The Commission was given until December 9, 2024, to bring its processing activities in compliance with regulations.
Microsoft, EU Commission Respond
The severity and duration of the breaches prompted the EDPS to apply corrective measures deemed appropriate, necessary, and proportionate. The ramifications of these breaches are far-reaching, affecting many individuals and all processing procedures carried out by the Commission or on its behalf utilizing Microsoft 365.
This development comes after a three-year probe initiated due to concerns surrounding the transfer of personal data to non-EU countries, catalyzed by revelations in 2013 by former U.S. intelligence contractor Edward Snowden of mass U.S. surveillance.
In response to the EDPS's decision, Microsoft has expressed its willingness to review the findings and collaborate with the EU executive to address concerns.
A spokesperson for Microsoft told Reuters that the EDPS's concerns largely pertain to stricter transparency requirements under the European Union Data Protection Regulation (EUDPR), which applies solely to EU institutions.
In Other News
Russian government hackers have breached Microsoft's servers, and the tech giant confirms that it has yet to contain the data breach or eject the state-sponsored hackers. Microsoft says it will continue giving information despite the "ongoing attack."
The Microsoft Security Team uncovered the nation-state attack on January 12, 2024, and publicly reported it on January 19.
Stay posted here at Tech Times.
Related Article : Microsoft Confirms It Has Yet to Contain Russian State Hack