The European Commission must align Microsoft 365 with EU data rules by December 9, 2024, following EDPS findings of rule violations. Data transfers must adhere to EU/EEA standards, with specific personal data specifications. Compliance is mandatory, ensuring robust data protection measures for EU institutions.
The commission will have to demonstrate compliance with the orders by 9 December 2024.
The European Commission has been instructed to bring its service of Microsoft 365 office programs in line with EU protection rules, the European Data Protection Supervisor stated today following an investigation.
The EDPS, the watchdog for data protection matters at EU institutions, expressed the commission violated EU rules including those on transfers of personal data beyond the EU or European Economic Area (EEA). In its agreement with Microsoft, the commission did not adequately specify what types of personal data are to be organized and for which purposes.
The commission now ought to suspend all data flows resulting from its usage of Microsoft 365 to Microsoft and to its companions and sub-processors located in countries outside the EU/EEA that are not protected by a data transfer agreement.
The commission will have to prove compliance with the orders by 9 December 2024. Wojciech Wiewiórowski, the EDPS supervisor, stated in a statement: “The EU institutions, bodies, offices, and agencies should provide that any processing of personal data outside and inside the EU/EEA, including in the context of cloud-based services, is escorted by robust data protection safeguards and measures.”
The EDPS declared that the corrective measures are appropriate, necessary, and proportional in light of the seriousness and duration of the violations found. The EDPS also takes into account the demand not to compromise the commission’s power to carry out its tasks in the public interest.
The EU has sufficient agreements with Andorra, Argentina, Canada Faroe Islands, Guernsey, Israel, the Isle of Man, Japan, Jersey, New Zealand, the Republic of Korea, Switzerland, the UK, the US, and Uruguay. For data flows with other countries, EU companies and institutions are first required to establish safeguards for its use through data protection authorities.
Moreover, recently the Commission has assumed decisions closing four market investigations that were undertaken on 5 September 2023 under the Digital Markets Act, discovering that Apple and Microsoft should not be specified as gatekeepers for the following substance platform services: Apple’s messaging service iMessage, Microsoft’s online search engine Bing, web browser Edge and online advertisement service Microsoft Advertising.
The decisions end the Commission’s investigations unlocked following the notification by Apple and Microsoft in July 2023 of the core forum services that completed the quantitative thresholds. Among these reported services were also the four services affected by today’s decisions.
Together with the statements, Apple and Microsoft also presented so-called ‘rebuttal’ arguments, describing why despite meeting the quantitative points, these four core platform services should not, in their view, qualify as gateways.
In its judgment of 5 September 2023, the Commission assumed that the rebuttal requests made by Apple and Microsoft merited an in-depth analysis. Following a thorough examination of all arguments, taking into account input from relevant stakeholders, and after attending the Digital Markets Advisory Committee, the Commission discovered that iMessage, Bing, Edge, and Microsoft Advertising do not qualify as gatekeeper services. However, the Commission will continue to observe the developments in the market concerning these services, should any significant changes arise. The decisions do not simulate in any way the designation of Apple and Microsoft as gatekeepers on 5 September 2023.
