In a somewhat remarkable decision, the European Data Protection Supervisor (EDPS) has found that the European Commission's use of Microsoft 365 is in breach of Regulation 2018/1725 (the GDPR equivalent applicable to EU institutions) by reference to infringements of several key data protection obligations including purpose limitation, international data transfers and unauthorised disclosures. It requires data flows to be suspended and corrective measures implemented by 9 December 2024.
The EDPS issued a press release on 11 March summarising its key findings which are set out below and published its full decision on 25 March.
Background
The EDPS oversees the rules for data protection in the EU institutions, bodies, offices and agencies. Regulation 2018/1725 is the GDPR equivalent (although with some stricter provisions) applicable to the EU institutions (the Regulation).
This investigation into the Commission's use of Microsoft 365 began in May 2021 following the Schrems II decision and formed part of the 2022 Coordinated Enforcement Action on the "Use of Cloud-based Services by the Public Sector" carried out by the European Data Protection Board (EDPB).
The investigation considered the contractual arrangements between the Commission and Microsoft, in particular the Inter-Institutional Licensing Agreement concluded with Microsoft Ireland in 2021 (2021 ILA).
Key findings of the EDPS
The EDPS found that the Commission failed to comply with its data protection obligations in the period from 12 May 2021 to 8 March 2024 in 3 key areas: purpose limitation; data transfers and unauthorised disclosures.
Purpose limitation
The EDPS found that the Commission had failed to limit the processing of personal data in the 2021 ILA. In particular, it failed to:
- sufficiently determine the types of personal data collected in relation to each of the purposes of the processing and ensure that the purposes for which Microsoft was permitted to collect data were specified and explicit;
- ensure Microsoft processed personal data to provide its services only on documented instructions;
- assess whether the purposes for processing were compatible with the purposes for which the data was initially collected; and
- assess whether it was necessary and proportionate to transmit personal data to Microsoft Ireland and its sub-processors located in the EEA for a specific purpose in the public interest.
Transfers of personal data outside the EU/EEA
The EDPS found that the Commission's use of Microsoft 365 was in breach of international transfer requirements. In particular, it failed to:
- clearly provide and document instructions, specifically regarding the types of personal data to be transferred and to which recipients, in which third country and for which purposes;
- provide appropriate safeguards ensuring that personal data transferred enjoyed an essentially equivalent level of protection to that in the EEA. The Commission had not obtained the minimum information necessary to determine whether any supplementary measures were required and could be implemented. It is worth noting here that the EDPS limited this infringement to "prior to the entry into force of the US adequacy decision" of the EU-US Data Privacy Framework.
- clearly map the proposed transfers or conduct a transfer impact assessment before entering into the Standard Contractual Clauses; and
- ensure the data transfers took place solely to allow tasks within the competence of the controller to be carried out.
Unauthorised disclosures of personal data
The EDPS also found that the Commission's use of Microsoft 365 resulted in unauthorised disclosures of personal data. In particular, it failed to assess the legislation of third countries to which personal data may be envisaged to be transferred under the ILA and failed to implement effective technical and organisational measures that would ensure processing in accordance with the principle of integrity and confidentiality.
Corrective measures
The EDPS ordered that the Commission must:
- suspend all data flows to Microsoft (and its affiliates and sub-processors) arising from its use of Microsoft 365 located in countries outside of the EU/EEA which have not been deemed adequate; and
- bring its processing operations into compliance by the 9th of December 2024.
To bring the processing operations into compliance, the Commission is required to carry out a data mapping exercise to identify the personal data transferred to each recipient, in which third countries, for which purposes and subject to which safeguards including any onward transfers.
Importantly, the EDPS found the general contractual arrangements between the Commission and Microsoft (i.e. the controller–processor data processing agreement) to be non-compliant and required that the contract clearly specify:
- all personal data is collected for explicit and specified purposes;
- the types of personal data in sufficient detail in relation to the purposes for which they are processed;
- any processing by Microsoft or its affiliates or sub processors is only carried out on the Commission’s documented instructions; and
- that unauthorised disclosures can only be made in accordance with EU/Member State Law, or if outside the EEA, requests for disclosure notification constitute a necessary and proportionate measure in a democratic society respecting the essence of the fundamental rights and freedoms recognised by the Charter.
Conclusion
This decision is likely to have a significant impact on data protection provisions in contracts with cloud-based processors such as Microsoft. The challenge will be whether controllers even have the ability to negotiate the specific terms recommended by the EDPS when large tech processors often contract on their standard online terms and conditions.
Look out for our further analysis on practical steps which will follow shortly.
