The EDPS Decision Following its Investigation into the European Commission’s Use of Microsoft 365: 3 key points for EUIs to consider

Reading Time: 7 minutes

Authors:  

Sandra Moran | Senior Data Protection Advisor

Date: 22 April 2024

On the 8th March 2024, the EDPS adopted a decision following its investigation into the European Commission’s use of Microsoft 365 (M365). After the publication of the press release, which we presented in one of our previous posts, the full decision was published on 25th March and consists of 180 pages and 604 points. The decision covers inter alia, a focus on the Inter-Institutional Licence Agreements (ILA), dated on 2018 and 2021, in place between the Commission and Microsoft, the responses of both parties to the EDPS and considerations formed over the course of the investigation. 

This post will outline three key aspects for consideration by EUIs using Microsoft Products and Services and especially those who have relied on existing instruments¹, such as the ILA in its several versions. As the EDPS makes clear, this investigation could have consequences for the Commission in its capacity as the lead contracting authority for the procurement of Microsoft products and services by EU institutions, bodies, offices and agencies.²

Three key points to consider for EUIs using Microsoft Services

1. The challenges within the 2021 ILA

The Decision starts with the appreciation of the EDPS as regards the improvements implemented by the Commission in the 2021 ILA in comparison with the 2018 ILA; especially in connection with the introduction of detailed audit provisions. However, some aspects within the ILA may be challenging for EUIs using Microsoft services, such as:  

  • The 2021 ILA allows Microsoft to process personal data for some purposes, which in the view of the EDPS are not indispensable to providing the services that the Commission requires to carry out its tasks. These would include Microsoft’s own purposes, such as the management of the business relationship with its customers, internal reporting, forecasting and business modelling.  
  • The broad approach taken on some definitions within the ILA 2021, which may imply in the view of the EDPS, the potential use of machine learning or artificial intelligence (AI) provided within some services. In the preliminary assessment undertaken by the EDPS, it was unclear whether processing for training machine learning or artificial intelligence was in scope of the services and permitted by the Commission. On this aspect, Microsoft clarified the existence of advanced features³ within the Editor text predictions in Outlook or Word which use AI to predict and offer suggested text to the user. In this regard, Microsoft also explained that AI is used to provide protection against security threats (detect, investigate, respond to, and remediate). 
  • The ILA foresees several other transfer destinations than the US and, as a consequence, a potential lack of control for the EUIs.  
  • For example, Attachment 4 to the Data Processing Agreement (covering only the sub-processors involved in the provision of the online services) lists 75 envisaged transfer recipients, who are contractually permitted to process personal data. Countries such as Australia, Brazil, Chile, China, Egypt, Hong Kong, India, Israel, Malaysia, Republic of Korea, Serbia, Singapore, South Africa, and the United Arab Emirates appear on this list. The list includes 12 countries that are not covered by an adequacy decision.  
  • On the other hand, it is also to be considered that the list of sub-processors with access to data for the purposes of providing professional services are listed on a Microsoft website. As noted by the EDPS, the information provided only refers to where these sub-processors are headquartered, not from where the personal data is accessed.

2. The role and limits of the different sets of SCCs mentioned in the ILA

Firstly, the ILA 2021 presented different ways in which transfers of personal data may occur in the Commission’s use of Microsoft 365:  

  • From the Commission to Microsoft Corporation and other sub-processors and,  
  • from Microsoft Ireland to Microsoft Corporation (US) and other sub-processors.  

In September 2021, Microsoft Ireland and Microsoft Corporation concluded GDPR SCCs (processor to processor module), based on the SCCs set out in the Implementing Decision (EU) 2021/914. In January 2022, the ILA 2021 was modified by an amendment to reflect the conclusion of these SCCs. There are some interesting insights provided in the Decision in connection with the two sets of SCCs, such as: 

  • According to the Commission and Microsoft Ireland, no direct transfers have taken place from the Commission to third countries. However, in the view of the EDPS, personal data are being transferred directly from the Commission’s devices to servers in third countries (including the US). The EDPS’ conclusion is based on different sources: 1) the information provided by Microsoft on its website; 2) the information provided by Microsoft Ireland in its reply to the EDPS’ preliminary assessment and 3) the connections identified by the Baden-Württemberg data protection authority in its audit of Microsoft 365 software. Whereby, transfers were identified from the data protection authority’s M365 devices to Microsoft servers. The EDPS discovered, based on IP lookup, that these servers were based in the United States. 
  • As explained in the Decision, an EU institution or body cannot directly rely on the SCCs for transfers under the GDPR, even as ad hoc contractual clauses. The approach to take is to use them (in particular their module two for transfers controller to processor) as a basis to prepare contractual clauses under Article 48(3)(a) of the EUDPR.  
  • This means, in practical terms that if an EUI is using with its processor the GDPR SCCs (Controller – Processor Module), they should adapt them by following, among others, the advice provided by the EDPS.    

3. The challenges related to the lack of clarity on the data flows

As mentioned above, the EDPS refers to the Data Protection Impact Assessment report of October 2021 on the deployment of Microsoft’s M365 services in the European Commission. In view of the reading, some aspects within that DPIA are lacking clarity on some relevant areas of the processing. Among others: 

  • The description of the potential transfer scenarios (11, but with only 4 of them being active, in the words of the Commission) is not in line with the information provided by the Commission to the EDPS. In addition, the description seems to have some discrepancies with the information available on Microsoft’s website and with the results of the DPIAs conducted on behalf of the Dutch Ministry of Justice. Also, as the Commission makes use of certain “connected experiences” provided by Microsoft, some telemetry data flows to the US take place and are stored there. Therefore, the Decision states that a new effective transfer scenario that was not listed in its 2021 DPIA has been identified. 
  • Only one transfer destination was assessed by the Commission in this document: the United States. As we can see in Point 1 of this post, the US may not be the only potential destination of the personal data. 
  • As stated in the Decision and in the view of the EDPS, neither the Commission nor Microsoft had, at least at the time of the completion of that DPIA, a clear and detailed understanding of the data flows resulting from the Commission’s use of M365.  

Recommendations: 

The EDPS provides a number of recommendations within the Decision that may be useful for EUIs in terms of ensuring compliance with the EUDPR: 

  • An EU institution or body cannot directly rely on the SCCs for transfers under the GDPR, even as ad hoc contractual clauses. In case GDPR-SCCs are to be used, the EUI would need to adapt them to reflect the specific requirements of the EUDPR. Among others: including stricter purpose limitation requiring that personal data are transferred solely to allow tasks within the competence of the EUI institution under EU law as well as ensuring that increased obligations are in place to ensure security and confidentiality of personal data and electronic communications. 
  • When seeking the assistance of other processors, existing resources may be helpful for the EUIs not only in the assessment, but also in the negotiation. For example, the EDPB Recommendations 01/2020 and 02/2020 may be helpful when performing transfer impact assessments. In this regard, we would specifically recommend: a) ensuring an in-depth analysis of India’s legal landscape, given its pre-eminent place in the global IT support-service industry, as outlined by the EDPS and b) using the resources provided by the EDPS in footnotes within the Decision.  
  • The EUIs should have a clear understanding of whether processing for training machine learning or AI may be in scope of the services to be provided by the potential processor. 
  • Considering the above, EUIs acting as controllers should ensure that they have control of the contractual agreements with their processors and be sure they are updated with, use and implement the latest advice and recommendations from the EDPS. 

As we can see in the above points, there are some aspects to be reviewed and addressed by the EUIs when using Microsoft services. On the one hand, we would recommend undertaking an internal process to identify the specific Microsoft’s tools in use in each EUI; this will help to identify not only the potential use of AI; but also, the potential international transfers that are currently in place from the EUI to Microsoft and the potential need to adapt the mechanism in place to regulate them and enhance compliance with the EUDPR. 

Trilateral’s Data Protection and Cyber-risk team includes data protection specialists with extensive expertise in assisting EUIs in increasing their compliance with EUDPR. Trilateral Research has also created different articles to help EUIs better understand their requirements under the EUDPR (among others, see:EDPS opinion on the use of social media monitoring for epidemic intelligence purposes by The European Centre for Disease Prevention and Control” and “Challenges and recommendations when moving to the cloud”). Feel free to contact our advisors if you would like to receive expert assistance. 

Footnotes

¹ The EDPS Investigation into use of Microsoft 365 by the European Commission (Case 2021-0518) makes reference to a Commission’s 2021 DPIA: Data Protection Impact Assessment report of October 2021 on the deployment of Microsoft’s M365 services in the European Commission.

² EDPS Investigation into use of Microsoft 365 by the European Commission (Case 2021-0518)- Point 4

³ In the view of Microsoft, these features could be characterized as “providing a personalized service”.

⁴ Set 1: Controller-processor SCCs originally included in the ILA and Set 2: Processor- processor, added to the ILA in 2022.

⁵ In which Microsoft confirmed that “Diagnostic data is collected and sent to Microsoft about Office client software running on the user’s device in your organisation.” (p. 1) “Even if you choose ‘Neither’, required service data will be sent from the user’s device to Microsoft”.

⁶ These four effective transfer scenarios are related to transfers of service generated data to the United States, transfers related to the accessibility of M365 services from outside the EEA, transfers related to resolution of support cases by Microsoft engineers outside of the EEA and transfers of licensing and activation data. certain data flows have been disabled by technical configuration.

⁷ These are: Public DPIA Teams OneDrive SharePoint and Azure AD, available here and DPIA Office 365 ProPlus version 1905 (June 2019) available here.

⁸ This scenario is taking place in despite the adjusted configuration of Microsoft 365 software developed by the Commission.

Related posts

Let's discuss your career