European Commission’s use of Microsoft 365 breaches data protection law for EU institutions and bodies

The European Data Protection Supervisor (EDPS) has found that the European Commission (Commission) has breached several provisions of Regulation (EU) 2018/1725, the EU data protection law for EU institutions (EUIs), in its use of Microsoft 365, including those relating to the transfer of personal data outside the EU and the European Economic Area (EEA). The EDPS is imposing corrective measures on the Commission.

In particular, the Commission has failed to provide adequate safeguards to ensure that personal data transferred outside the EU/EEA are afforded the same level of protection as that guaranteed within the EU/EEA.
Furthermore, in its contract with Microsoft, the Commission did not sufficiently specify the types of personal data to be collected and for what explicit and specified purposes when using Microsoft 365. The Commission’s breaches as data controller also relate to data processing, including the transfer of personal data, carried out on its behalf.

The EDPS has therefore decided to order the Commission to suspend, with effect from 9 December 2024, all data flows resulting from the use of Microsoft 365 to Microsoft, its subsidiaries and sub-processors located in countries outside the EU/EEA that are not covered by an adequacy decision.

In effect, the EDPS has confirmed what we have been arguing for years, namely that the only individual productivity solutions that also guarantee data protection and support the concept of Europe’s digital sovereignty – technological independence from the commercial decisions of high-tech companies, especially from the US – are FOSS solutions such as LibreOffice combined with a standard, open and independent data format such as the Open Document Format.

The EDPS, though, has also decided to order the Commission to bring the processing operations resulting from its use of Microsoft 365 into compliance with the EU Regulation 2018/1725. The Commission has until 9 December 2024 to demonstrate compliance with both orders.

The EDPS considers that the corrective measures it imposes (described in the document annex [1]) are appropriate, necessary and proportionate in light of the seriousness and duration of the infringements found.
Many of the infringements found concern all processing operations carried out by the Commission, or on its behalf, when using Microsoft 365, and impact many individuals.

Unfortunately, all the remedies identified by the EDPS relate to Microsoft 365, and therefore do not address the root of the problem by suggesting the use of FOSS solutions such as LibreOffice and the only truly standard, open and independent document format, the Open Document Format.

It is highly likely that Microsoft’s solution will be the usual ‘sticking plaster’ that hides the problem without addressing it, and that the lobbyists – who I am sure are already at work – will make it look appropriate in the eyes of politicians.

And if we continue to protest, knowing that we will not be heard because we do not have the same firepower as the lobbyists of the big US hi-tech companies who are present in Brussels with hundreds of professionals, we will always hear the same thing: “They all do the same…”.