European institutions’ privacy supervisor closed its enforcement action on the Commission’s use of Microsoft on Monday, following updates to the Commission’s privacy practices.
The development – which clears the Commission’s use of Microsoft’s digital products – follows exchanges between the EU’s executive and the European Data Protection Supervisor (EDPS). In March 2024, the EDPS found that the EU’s executive had breached data protection rules for EU institutions over its use of Microsoft products such as Office 365.
The EDPS’ 2024 decision determined that the Commission’s contract with Microsoft for cloud collaborative tools insufficiently protected personal data from transfers outside the European Economic Area (EEA). It also provided recommendations for bolstering protections.
The Commission has since updated its contract with Microsoft in line with the EDPS’ recommendations. Under the new approach, Microsoft must now specify the purpose for which data may be transferred outside the EEA, along with stipulating any recipients.
The updated contract also requires it to list countries to which data may be sent, limiting it to places where the EU recognises an equivalent level of privacy protections or where public interest makes a transfer necessary.
New provisions in the contract further mandate that Microsoft discloses to the Commission when it is asked by another country to comply with data access requests, unless the request is from the EU or a country with equivalent data protections.
In a statement about closing the enforcement, EDPS Wojciech Wiewiórowski also called on other EU institutions, bodies, offices and agencies that use or are considering adopting Microsoft 365 services to carry out “similar assessments and to implement technical and organisational measures comparable to those adopted by the Commission”.
Microsoft welcomed the EDPS’ move, a spokesperson told Euractiv.
Digital sovereignty and adequacy
In parallel with the EDPS’ green light to continue buying Microsoft, the Commission remains worried about its heavy dependence on the non-European company for digital platforms and products that are needed to ensure the EU’s administration can function day-to-day.
The bloc’s executive has also continued to recognise the US as having equivalent privacy protections as the EU’s, under the high level adequacy deal agreed two years ago. However, since then, US President Donald Trump’s decision to switch Democrats for Republicans in key positions within US privacy oversight bodies has raised concerns over their independence – and, therefore, over the validity of the EU-US adequacy decision.
(nl)