The European Commission violates GDPR rules

Support an independent media ❤️

To continue to inform you, investigate, identify new solutions, and contribute to making digital more responsible...

Nousseu DOUONNousseu DOUON

The European Commission violates GDPR rules

An investigation conducted by the EDPS (European Data Protection Supervisor) points out certain shortcomings of the European Commission. It has violated several data protection rules in its use of Microsoft 365 (a suite of Microsoft office software). Corrective measures have been addressed to the Commission.

Context of the Investigation

EU bodies and institutions, like private actors, are subject to the obligations of the GDPR (General Data Protection Regulation).

On May 27, 2021, following the Schrems II decision, the EDPS launched two investigations:

  • One targeting the Cloud services of Microsoft and Amazon used by EU bodies and institutions.
  • The other focusing on the use of Microsoft 365 by the European Commission.

The goal of these investigations: to ensure compliance of these institutions with the requirements of the Schrems II ruling. Particularly regarding the transfer of personal data outside the European Union, given that the examined services are provided by companies based in the United States.

Schrems II ruling of July 16, 2020: invalidation of the Privacy Shield, which allowed data transfers to the United States, due to disproportionate infringements on individuals' privacy by US companies and operators.

Identified Violations

In a press release on February 11, 2024, the EDPS concluded that the use of Microsoft 365 by the European Commission was not compliant with data protection requirements.

The EDPS identified that:

  • The Commission did not provide adequate guarantees for data transfers outside the EU in the context of using Microsoft 365.
  • The contract between the Commission and Microsoft did not specify what types of personal data were collected, and for what purposes.

As a result, the Commission has until December 9, 2024, to suspend all transfers of personal data to Microsoft and its subsidiaries located in non-EU countries that are not compliant with the GDPR. It is also required to bring all data processing resulting from its use of the Microsoft 365 suite into compliance.

References:

[Photo Credit: Christophe Licoppe - European Commission]

Support us by sharing the article: