Learning from European Commission’s Data Compliance Gap in the Use of Microsoft Services

Reading Time: 5 minutes

Authors:  

Claudia Martorelli | Data Protection Advisor

Date: 25 March 2024

The European Data Protection Supervisor (EDPS) has recently shared in a press release the outcome of its investigation into the European Commission (EC)’s use of Microsoft 365 (MS 365). It identified several instances of non-compliance, particularly concerning international transfers of personal data. These findings extend beyond MS 365 procurement, potentially affecting any IT service provider engagement. Hence, this article seeks to outline the identified breaches and offer compliance recommendations for European Union Institutions (EUIs) when engaging with digital (or other) service providers.  

Investigation Background  

The investigation of the EDPS focused on the EC use of MS 365 as detailed under the 2021 Interinstitutional licencing agreement concluded with Microsoft Ireland, which outlines the provision of Microsoft services for the EUIs. The EDPS assessed the EC’s adherence to the recommendations previously issued by the EDPS regarding the utilisation of MS 365 by the EUIs (the Initial Recommendations). The Initial Recommendations were issued as part of the EDPS’s strategy for EUIs to comply with the Schrems II ruling, a significant judgment by the Court of Justice of the European Union concerning the transfer of personal data from the EU to third countries.  

Overview of Key Findings and Related Initial Recommendations 

The EDPS determined that the EC’s use of MS 365 violated key provisions of the EUDPR regarding purpose limitation, international data transfers, data disclosure requests, and the provisions regulating the controller-processor agreement. This section outlines the findings and the corrective measures imposed by the EDPS. For each area, the key points of the Initial Recommendations are recalled to provide practical tips for EUIs to improve their compliance.  

Purpose limitation:
According to the EDPS, the EC:  

  • Did not sufficiently specify the types of personal data collected and the purposes of this collection when using MS 365;  
  • Failed to assess the compatibility of the purposes of further processing with the initial collection purposes; 
  • Did not adequately evaluate the necessity and proportionality of transmitting data to Microsoft Ireland and its sub-processors located in the EEA for a specific purpose in the public interest, as required by Article 9 EUDPR. 

The EDPS ordered the EC to address these issues through contractual measures with Microsoft. 

More specific guidance on how to comply with the principle of purpose limitation when outsourcing IT services is provided in the Initial Recommendations. There, the EDPS suggested that EUIs should establish a specific, explicit and exhaustive set of purposes to cover all types of personal data involved in the use of MS 365. Any purpose not essential for the use of MS 365 should be explicitly prohibited. This would reduce the risk of the provider processing data for different purposes and consequently neglecting the fact that personal data was entrusted to EUIs for reasons of public interests.  

International Data Transfers:
The EDPS found that the EC failed to:  

  • Appraise and specify what data could be transferred to which recipients in third countries and for what purposes;  
  • Perform a Transfer Impact Assessment; 
  • Adopt appropriate safeguards to ensure an adequate level of protection of data outside the EEA; 
  • Obtain the authorisation of the EDPS for the use of the Standard Contractual Clauses (SCCs); 
  • Ensure that transfers take place solely to allow tasks within the competence of the controller to be carried out, as required by Article 47(1) EUDPR.  

The EDPS ordered the EC to perform a thorough transfer mapping exercise and to suspend all data flows to third countries not covered by an adequacy decision resulting from its use of MS 365 by December 9, 2024.  

In the Initial Recommendations, the EDPS provided more specific guidance on how to comply with the requirements on international data transfers. There, the EDPS suggested that EUIs should thoroughly check and document all data flows from existing users’ computers to any external destinations to identify the transfers from MS 365 to Microsoft servers or its subcontractors. EUIs should have a clear picture of the countries through which the data are likely to transit in order to properly assess the measures necessary to safeguard the data. This monitoring should apply also to the release of products updates, where EUIs must verify the configuration with the service provider to eliminate any unlawful transfer of personal data that may be introduced as a result. The clear mapping of data transfers and safeguards measures adopted should be documented in the dedicated appendices to the SCCs, which should be tailored to each product and service concerned and each recipient (including subcontractors).  

Unauthorised Data Disclosure:
The EDPS found that the EC failed to:  

  • Ensure that Microsoft notified the EC of all received data disclosure requests, unless prohibited by EU or Member State law or by the law of a third country ensuring a level of protection essentially equivalent to that in the EEA; 
  • Assess the legislation of the third countries where data was transferred so as to prevent Microsoft and its processors disclosing personal data in ways not authorised under EU law.  

The EDPS ordered the EC to address these issues through contractual provisions with Microsoft.  

Further guidance on disclosure requests is provided in the Initial Recommendations. Some of the recommendations made by the EDPS are to:  

  • Request immediate notification from Microsoft of any past and future data access requests received;   
  • Ensure that Microsoft, or any of its sub-processors, do not disclose data without prior agreement and direction from the relevant EUI;  
  • Annually request information regarding any disclosure of EUIs data and the actions taken in response.  

The EDPS also stressed that EUIs should require, as a rule, that any data processing performed on their behalf should take place in the EU/EEA, and especially for processing operations for purposes of back up, business continuity and performance of remote operations. This will lower the risk of third countries authorities gaining access to the data in the context of law enforcement.  

Controller-processor agreement:
According to the EDPS, the EC, in its role as data controller, fell short in providing clear instructions to Microsoft Ireland regarding data processing across all of the areas covered in the paragraphs above. Some of the identified violations were found to constitute also a breach of Article 29 EUDPR since the contractual agreement between the EC and Microsoft did not: 

  • Specify the types of data to be processed, the purposes and the conditions for transferring such data to recipients in third countries; 
  • Contain provisions to ensure that they would be promptly notified of any data disclosure requests unless prohibited by EU or Member State laws or third country’s law (where such restriction is proportionate and aligned with democratic principles and fundamental rights). 

In the Initial Recommendations, the EDPS suggested specific measures to include in the controller-processor agreement to ensure that EUIs provide clear instructions to service providers. These instructions should cover the data types to be processed, access permissions, storage protocols, security measures and guidelines for transfers to third countries. Such instructions should be incorporated in the contract, which should include also any necessary templates (e.g., for the communication of data breaches) and procedures to comply with them. 

Trilateral’sData Protection and Cyber-risk teamincludes data protection specialists with extensive expertise in assisting EUIs in increasing their compliance with EUDPR. Trilateral Research has also created different articlesto help EUIs better understand their requirements under the EUDPR (among others, see:EDPS opinion on the use of social media monitoring for epidemic intelligence purposes by The European Centre for Disease Prevention and Control” and “Challenges and recommendations when moving to the cloud”). Feel free to contact our advisors if you would like to receive expert assistance. 

Related posts

Get the latest insights from Trilateral in our new monthly article, featuring the latest developments from across our innovation and researc…

Let's discuss your career