Mar 12, 2024 12:10:00

Privacy watchdog points out that the use of Microsoft 365 at the European Commission violates personal information protection rules, and the European Commission is required to take corrective measures

On March 11, 2024,

the European Data Protection Inspectorate (EDPS) announced that the European Commission in the European Union (EU) has issued a statement regarding the use of Microsoft's subscription service ' Microsoft 365 ' in accordance with the 'EU Personal Information Protection Regulation.' It is in violation of the ``.''

EDPS-2024-05-European-Commission_s-use-of-M365-infringes-data-protection-rules-for-EU-institutions-and-bodies_EN
(PDF file) https://www.edps.europa.eu/system/files/2024-03/EDPS-2024-05-European-Commission_s-use-of-M365-infringes-data-protection-rules-for- EU-institutions-and-bodies_EN.pdf

European Commission's use of Microsoft 365 infringes data protection law for EU institutions and bodies | European Data Protection Supervisor
https://www.edps.europa.eu/press-publications/press-news/press-releases/2024/european-commissions-use-microsoft-365-infringes-data-protection-law-eu-institutions-and- bodies_en

In its investigation, the #EDPS @W_Wiewiorowski has found that the @EU_Commission has infringed several key data protection rules when using Microsoft 365. In its decision, the EDPS imposes corrective measures on the Commission. Read Press Release: https://t. co/XsMDnsfSGk pic.twitter.com/shvufa3KUx

— EDPS (@EU_EDPS) March 11, 2024

EU Commission's use of Microsoft software breached privacy rules, watchdog says | Reuters
https://www.reuters.com/technology/eu-commissions-use-microsoft-software-breached-privacy-rules-watchdog-says-2024-03-11/

European Commission broke data protection law with Microsoft • The Register
https://www.theregister.com/2024/03/11/european_commission_infringed_data_protection/

According to the EDPS, the European Commission has breached multiple data protection regulations, including rules on the transfer of personal data outside the EU and the European Economic Area (EEA). The EDPS states that ``The European Commission has established appropriate safeguards to ensure that personal data transferred outside the EU and EEA receives essentially the same level of protection as guaranteed within the same territory.'' 'Furthermore, in its contract with Microsoft, the European Commission has clarified what types of personal data it collects when using Microsoft 365, and for what purposes. It does not sufficiently specify whether the

Furthermore, by December 9, 2024, EDPS will require Microsoft and its associated companies based in third countries that do not have a privacy agreement with the EU to cease all data flows resulting from the use of Microsoft 365. I ordered. We have also imposed remedial measures on the European Commission to ensure compliance with privacy regulations and to stop transferring data to Microsoft.

EDPS Supervisor Wojciech Wiewiorowski said: “It is up to EU institutions and bodies to ensure that the processing of personal data within and outside the EU and EEA, including through cloud-based services, is accompanied by strong data protection measures and measures. , it was the responsibility of the office and this order was essential to ensure the protection of personal information.'

The EDPS investigation found that 'many of the issues discovered relate to the European Commission and all processing operations carried out on behalf of the Commission when using Microsoft 365 and affect a large number of individuals.' It has been reported that. A Microsoft spokesperson said: ``The concerns raised by EDPS are primarily related to stricter transparency under the EUDPR (PDF file) law, which applies only to institutions in the European Union. 'Customers living in the United States can continue to use Microsoft 365, which is fully GDPR compliant, with continued support and guidance.'

The European Commission has not commented on this order.