Microsoft Software Used By EU Commission Violates Privacy Rules, Says Watchdog

(CTN News) – According to an EU privacy watchdog, the European Commission’s use of Microsoft (MSFT.O) software violated EU privacy rules, and the bloc’s executive also failed to implement adequate safeguards for personal information transferred outside the EU.

The European Data Protection Supervisor (EDPS) has ordered the Commission to take measures to comply with privacy rules and to cease data transfer to the US company and its subsidiaries located in third countries without privacy agreements with the EU, setting a deadline of December 9 for both orders.

EDPS’s decision followed a three-year investigation triggered by concerns about the transfer of personal data to the United States following Edward Snowden’s revelations in 2013 regarding mass US surveillance.

Despite repeated requests from the watchdog, the Commission has failed to provide appropriate safeguards to ensure that personal data transferred outside the EU/EEA are protected to an essentially equivalent degree as in the EU/EEA.

EEA, or European Economic Area, is composed of the 27 member states of the European Union as well as Iceland, Liechtenstein, and Norway.

“In its contract with Microsoft, the Commission failed to sufficiently specify what types of personal data would be collected and for what explicit and specified purposes,” the EDPS stated.

The Microsoft 365 product suite includes Word documents, Excel spreadsheets, PowerPoint presentations, and Outlook email accounts.

A decision by the data protection authority ordered the Commission to suspend all data flows resulting from its use of Microsoft 365 to the company and its affiliates and sub-processors located outside of Europe.

As part of its data adequacy agreements, the EU has signed agreements with 16 countries, including Argentina, Japan, South Korea, Switzerland, the United Kingdom, and the United States.

Attempts to reach the Commission for comment were not immediately successful.

To address the concerns raised by the EDPS, Microsoft said it would review the decision and work with the EU executive.
“The European Data Protection Supervisor raised concerns related primarily to the requirement for stricter transparency under the GDPR.

A spokesperson explained that EUDPR is a law that only applies to the institutions of the European Union.

Additionally, the EU executive was instructed to take steps to comply with privacy regulations in its use of Microsoft 365.

SEE ALSO:

Airbnb Listings Cannot Have Indoor Security Cameras