Skip to content

EU Commission’s Microsoft 365 use breaches data protection rules

  • by
  • 3 min read

The European Data Protection Supervisor (EDPS), Wojciech Wiewiorowski, has found the European Commission breached crucial data protection rules while utilising Microsoft 365. The investigation was initiated in May 2021 following the Schrems II judgements and prompted EDPS to enforce corrective measures against the Commission.

EDPS has ordered the Commission to take measures by December 9, 2024, to rectify and halt the data transfer resulting from the use of Microsoft 365 to Microsoft and its affiliates and sub-processors in countries outside the EU that are not covered by adequacy decisions.

Microsoft 365 products, which include Word, Excel, PowerPoint, OneDrive, Access, Teams, and Clipchamp, are used worldwide.

Currently, the EU has recognised 15 countries as providing adequate protection. These countries include Andorra, Argentina, Canada, Faroe Islands, Guernsey, Israel, Isle of Man, Japan, Jersey, New Zealand, South Korea, Switzerland, the UK, the US and Uruguay.

Additionally, the Commission must bring its processing operations related to Microsoft 365 into compliance with Regulation (EU) 2018/1725 by the same date.

In its investigation, the EDPS determined that the Commission violated multiple provisions of Regulation (EU) 2018/1725, the EU’s data protection law governing EU institutions, bodies, offices, and agencies.

EDPS has given December 9 as the end date to suspend all the data transfers with the non-data adequacy countries.

“It is the responsibility of the EU institutions, bodies, offices and agencies (EUIs) to ensure that any processing of personal data outside and inside the EU/EEA, including in the context of cloud-based services, is accompanied by robust data protection safeguards and measures. This is imperative to ensure that individuals’ information is protected, as required by Regulation (EU) 2018/1725, whenever their data is processed by, or on behalf of, an EUI,” said Wojciech WIewiorowski.

The key areas of infringement include the inadequate protection of personal data transferred outside the EU/European Economic Area (EEA) and a lack of specificity in defining the types of personal data collected and the explicit purposes of such collection in the contract with Microsoft.

“Concerns raised by the European Data Protection Supervisor relate largely to stricter transparency requirements under the EUDPR, a law that applies only to the European Union institutions,” a Microsoft spokesperson told Reuters. Microsoft also said it would take the necessary steps to ensure that Microsoft 365 complies with the rules.

In the News: MSIX malware disguised as Notion installer targets users

Kumar Hemant

Kumar Hemant

Deputy Editor at Candid.Technology. Hemant writes at the intersection of tech and culture and has a keen interest in science, social issues and international relations. You can contact him here: