The Decision
The European Data Protection Supervisor (EDPS) has imposed corrective measures on the European Commission for violating data protection rules for the EU institutions, bodies, offices and agencies (EUIs) related to their use of Microsoft 365.
The EDPS has stated in a press release this March 11 – after an investigation started in May 2021 – that it will impose corrective measures on the European Commission. The aforementioned investigation followed the Schrems II judgment, which invalidated the Privacy Shield because it did not ensure equivalent protection of EU citizens’ data when their data was transferred from the EU to the U.S.
The European Commission has breached several provisions of the rules for data protection in the EU institutions and the duties of the European Data Protection Supervisor (EDPS) set out in the Regulation (EU) 2018/1725, or “EUDPR”, a regulation that only applies to EU institutions.
The provisions breached include those regarding transfers of personal data outside the EU/European Economic Area (EAA), unauthorized disclosures of personal data as well as infringing the principle of “purpose limitation” applicable to data protection rules.
The Commission did not provide adequate safeguards to ensure that personal data transferred outside the EU/EEA has the equivalent level of protection to data stored within the EU/EEA. In addition, The Commission did not sufficiently specify the types of personal data collected and for which explicit and specific purposes the data was being used under the Microsoft 365 licensing agreement. Moreover, as Data Controller, the Commission’s infringements include any transfer of personal data conducted on their behalf by Microsoft (the Data Processor).
Corrective Measures
Therefore, the EDPS imposed the following corrective measures to the Commission:
- Suspend all data flows resulting from the use of Microsoft 365 to Microsoft and to its affiliates and sub-processors located in countries outside the EU/EEA not covered by an adequacy decision and to demonstrate the effective implementation of such suspension and;
- bring the processing operations resulting from its use of Microsoft 365 into compliance with the Regulation (EU) 2018/1725.
To comply with the measures, the European Commission will have to conduct a transfer-mapping exercise to detail personal data transfers, recipients and purposes, as well as ensure that all transfers to third countries take place solely to allow tasks within the competence of the controller by enacting contractual provisions and other organizational and technical measures.
The Commission must demonstrate compliance with both measures by 9 December 2024.
Analysis
Wojciech Wiewiórowski, the EDPS supervisor stated that “It is the responsibility of the EU institutions, bodies, offices and agencies to ensure that any processing of personal data outside and inside the EU/EEA, including in the context of cloud-based services, is accompanied by robust data protection safeguards and measures.” Due to the duration and the fact that the infringements concern all processing operations carried out by the Commission, or on its behalf, and impact many individuals, the EDPS considers the corrective measures to be appropriate, necessary and proportionate.
In addition, the EDPS announced that these corrective measures are imposed without prejudice to any other or further action that the EDPS may undertake.
The EDPS measures for EU institutions show the importance of data protection and transparency when using cloud-based services, and the need for strong contractual agreements with the providers of those services. For our clients, this means that we must be very aware of current international data transfer requirements to ensure that we are not in breach of the GDPR.
The corrective measures imposed by the EDPS on the European Commission’s use of Microsoft 365 show just how concerned the EU is regarding data protection and compliance with data regulations regardless of the type of organization, thus setting a standard of integrity and transparency throughout the European Union.
