An anonymous reader cites a TechCrunch report. A long-running investigation into the European Union's use of Microsoft 365 has found that the European Commission violated the Union's data protection rules through its use of cloud-based productivity software. Announcing the decision in a press release today, the European Data Protection Supervisory Authority (EDPS) said the European Commission had breached “several important data protection rules when using Microsoft 365.” “The Commission did not sufficiently specify what types of personal data are collected when using Microsoft 365 and for explicit and specific purposes,” the Data Oversight said. He wrote Wojciech Wiewiorowski and added: “The Commission's encroachment as a data controller means that data processing, including the transfer of personal data, is carried out on its behalf.” EDPS will continue to use Microsoft's cloud suite in 2024, assuming it continues to use Microsoft's cloud suite. It imposed corrective measures requiring the Commission to address compliance issues it identified by December 9. The regulator, which oversees EU institutions' compliance with data protection rules, launched an investigation into the European Commission's use of Microsoft 365 and other US cloud services in May 2021. […]
The European Commission confirmed receipt of the EDPB's decision and said it would need to analyze its basis “in detail” before making a decision on how to proceed. In a series of statements at the press conference, the company expressed confidence that it complies with “applicable data protection regulations, both in practice and in law.” It also said that “various improvements” were made to the contract with EDPS during the investigation. “We have cooperated fully with EDPS since the beginning of the investigation, including providing them with all relevant documents and information and following up on issues raised during the course of the investigation.” “The Commission is always ready to implement substantiated recommendations from the EDPS and is grateful to have received them. Data protection is a top priority for the Commission.”
“The Commission has always been committed to ensuring that the use of Microsoft M365 complies with applicable data protection regulations and will continue to do so. All other information obtained by the Commission The same applies to software.'' : “The new data protection regulation for EU institutions and bodies entered into force on 11 December 2018. The European Commission is actively pursuing an ambitious and secure adequacy framework with international partners. The Commission will apply these rules to all processes and contracts, including those with individual companies, such as Microsoft.'' The Commission's public statement says that it is committed to complying with its legal obligations. “Compliance with the EDPS decision is unfortunately likely to undermine the current high level of mobile and integrated IT services,” it said. “This may apply not only to Microsoft, but also to other commercial IT services. However, we first need to analyze in detail the conclusions and underlying reasons for the decision. Until the analysis is complete, we will not comment further.” I can't do that,” he added.
