The European Data Protection Supervisor (EDPS) is a body which monitors and ensures that European institutions and bodies respect the right to privacy and data protection when they process personal data and develop new policies. The EDPS recently adopted a decision following an investigation into how the European Commission (EC) uses Microsoft 365.

The investigation was opened in May 2021 following the Schrems II judgment and given concerns over how Microsoft processes the data of its cloud service users. Its aim was to verify the EC’s compliance with recommendations previously issued by the EDPS on the use of Microsoft's products and services by EU institutions and bodies.

We consider the key elements of this decision.

Background

The EDPS found that the EC breached various provisions of Regulation (EU) 2018/1725. While the Regulation applies only to EU institutions, bodies, offices, and agencies, the GDPR imposes equivalent requirements on private companies.

In particular, the decision focuses on issues of:

• Purpose limitation
• Data transfers, and
• Unauthorised disclosures of personal data

Purpose limitation

The EDPS considered the agreements in place between the EC and Microsoft, and, in particular, considered in detail the nature of the personal data being processed under these agreements. The agreements referenced “service generated data” and “diagnostic data”, however, the EDPS found that these references lacked clarity. Despite the EC and Microsoft providing specific examples of “service generated data”, this was not sufficient to satisfy the requirement that personal data be sufficiently determined regarding the purposes of processing.

On the processing described in the agreements, the EDPS considered:

• “Processing for the provision of services”
• “Processing for business operations”, and
• “Processing for incompatible purposes and inter-EEA transmissions”

The EDPS found that the agreements’ language was not precise enough and overall that instructions for processing were not clearly documented. It also found that the EC did not adequately assess whether purposes for further processing were compatible with the purposes for which personal data was originally collected. The EDPS also concluded that the EC failed to assess necessity and proportionality to transmit personal data to Microsoft Ireland and its sub-processors in the EEA for a specific purpose in the public interest.

Data transfers

The EDPS considered the requirements for international transfers in particular referencing the agreements in place between the EC and Microsoft. The EC had argued that it did not transfer personal data to third countries directly. However, this was rejected by the EDPS. Ultimately, the EDPS found that instructions provided by the EC regarding what personal data may be transferred and to where were insufficient. It also concluded that the EC did not adequately map out transfers despite having reported high-risk transfers to the US and other non-EEA countries, and determined that the EC did not carry out proper transfer impact assessments. Supplementary measures put forward by Microsoft and the EC were found to be insufficient, even when looked at collectively. Appropriate safeguards to ensure an essentially equivalent level of protection to that in the EU/EEA were not put in place between the EC and Microsoft.

Unauthorised disclosures of personal data

Finally, in light of all of the previously mentioned factors, the EDPS considered whether unauthorised disclosures of personal data were made. The provisions on disclosure in agreements between the parties were considered broad in scope. This is because they encompassed both processing undertaken by Microsoft to provide online services, and the processing it carries out for the purposes of its own business operations. Despite there being qualifications and limitations provided for in the agreements, the EDPS found that these were insufficient. The EC did not carry out the requisite transfer impact assessments and on that basis, the EDPS stated that it could not ensure that Microsoft and its sub-processors do not make unauthorised disclosures. In other words, the EC failed to implement effective technical and organisational measures required by the Regulation.

The EC was found to have violated several provisions of the Regulation by:

• Failing to limit the processing of personal data to the stated purposes of processing
• Failing to comply with the rules on international data transfers, and
• Making unauthorised disclosures of personal data

Comment

The EDPS ordered the EC to suspend all data flows resulting from its use of Microsoft 365 to Microsoft and to its affiliates and sub-processors in countries outside the EU/EEA not covered by an adequacy decision unless it can demonstrate compliance with the Regulation by 9 December 2024. A further onerous order was issued requiring the EC to bring the processing operations resulting from its use of Microsoft 365 into compliance by the same date.

This entails carrying out a detailed transfer-mapping exercise to identify:

• What categories of data are to be transferred
• For which purposes the data is being transferred
• Which safeguards need to be utilised
• The recipients of the data in third countries outside the EEA, and
• Whether there are likely to be any onward transfers

Wojciech Wiewiórowski of the EDPS stated that “it is the responsibility of the EU institutions, bodies, offices and agencies (EUIs) to ensure that any processing of personal data outside and inside the EU/EEA, including in the context of cloud-based services, is accompanied by robust data protection safeguards and measures.”

The decision serves as an important reminder of the standards that must be adhered to when personal data is transferred outside the EU/EEA.

As the GDPR imposes equivalent requirements on private companies, controllers who use Microsoft 365 and similar cloud-based platforms should ensure that their data processing agreements are sufficiently detailed to be compliant with GDPR. This may require a detailed data protection review of how exactly the personal data they control is processed and who is processing this data.

For more information and expert advice, contact a member of our Privacy & Data Security team.

People also ask

The content of this article is provided for information purposes only and does not constitute legal or other advice.