In recent years we have covered the multiple objections that European and Asian regulators have to American cloud services and their handling of personal data. In this case we will talk about a new setback for Microsoft.
Actually the one that takes the slap on the wrist es the European Commission and its decision to use Microsoft 365, the American company's cloud office suite.
Microsoft's new setback
For those of us who are not on the European continent, let's start by explaining that The European Commission is one of the most important institutions of the Union. Led by a president proposed by the European Parliament and composed of one member from each member country of the union, it has the following functions:
- Propose legislation to be analyzed and eventually approved by the European Parliament and the Council.
- Execution of policies and budgets.
- Monitoring compliance with community legislation.
- Representation of the Union in international negotiations.
The European Data Protection Supervisor (EDPS) is the independent supervisory authority for the protection of personal data and privacy and the promotion of good practices in the EU institutions and bodies.
The questions
For the European Data Protection Supervisor (EDPS) By using Microsoft 365 the European Commission violated the data protection laws of the European Union.
After its investigation, the EDPS detected that Several provisions of Regulation (EU) 2018/1725 were violated, the law that establishes what data protection policies must be implemented by EU institutions, bodies, offices and agencies. The EDPS put the magnifying glass on those that talk about transfers of personal data outside the EU/European Economic Area (EEA).
The complaints relate in particular to the Commission's failure to establish adequate safeguards to ensure that personal data, when transferred outside the EU, have a level of protection similar to that which should be provided within the region. It is also objected that in the agreement with Microsoft, the Commission did not make it sufficiently clear what types of personal data will be collected and what the explicit and specified objectives will be when using Microsoft products. Other failings of the Commission as a data controller concern data processing, including transfers of personal data, carried out on its behalf.
On behalf of the entity, Wojciech Wiewiórowski stated:
It is the responsibility of the EU institutions, bodies, offices and agencies to ensure that any processing of personal data within and outside the EU, including in the context of cloud-based services, is accompanied by robust data protection measures and safeguards. data. This is imperative to ensure that individuals' information is protected, as required by Regulation (EU) 2018/1725, whenever their data is processed by, or on behalf of, a Union entity.
As a result of his research, The EDPS decided to order the Commission, that as of December 9, 2024, it must suspend all data flows resulting from the use of Microsoft 365 to Microsoft and its affiliates and subprocessors that are located in countries outside the EU and have not justified their adaptation to the regulations. The EDPS also determined that the Commission must make the processing operations resulting from your use of Microsoft 365 comply with Regulation (EU) 2018/1725. The Commission will be required to demonstrate compliance with both orders by December 9, 2024.
Microsoft 365 is what was previously known as Office 365. It is a set of services and software that combines Microsoft Office desktop programs as well as cloud services.
In the past, its use has been questioned, as has that of its competitor Google Docs for sending and storing data outside the European Union without establishing the safeguards that comply with regulations that its European counterparts must comply with.