The European Data Protection Supervisor (EDPS) is assessing whether the European Commission has complied with the orders issued in its decision on March 8, 2024, regarding the use of Microsoft 365. The Commission had until December 9, 2024, to demonstrate compliance with the regulations. Three days before the deadline, the Commission submitted a report with documentation that is currently being analyzed by the EDPS.
Background of the Investigation
The EDPS initiated this investigation in May 2021, following the ruling from the Court of Justice of the EU in the Schrems II case, which restricted the transfer of personal data to countries lacking protections equivalent to those of the EU. According to the EDPS, the Commission’s use of Microsoft 365 violates several provisions of Regulation (EU) 2018/1725, including the transfer of personal data outside the European Economic Area (EEA).
In its March 2024 decision, the EDPS ordered the Commission to:
- Suspend the transfer of personal data to Microsoft and its subcontractors located in countries not covered by EU adequacy decisions.
- Align processing operations with European regulations through specific corrective measures.
The Debate on Dependency on Microsoft
Internal documents have revealed concerns within the Commission regarding its dependence on Microsoft. These highlight risks such as the lack of competitive European alternatives, potential price increases, and challenges in ensuring the EU’s technological sovereignty.
However, a Commission spokesperson stated that there are currently no functional equivalents to Microsoft 365, although small-scale open-source software initiatives are being explored.
Challenges and Implications
The continued use of Microsoft 365 raises questions not only about privacy but also about security, as the platform is not authorized to handle classified documents. The absence of European alternatives creates incentives to classify data as less sensitive than they actually are, according to anonymous sources from the institutions.
Additionally, the Commission has challenged the EDPS’s decision before the General Court of the EU, arguing that the regulation has been incorrectly interpreted. Meanwhile, the EDPS has reiterated that its decision remains fully applicable and that its analysis of the submitted documents will be thorough.
Future of Data Oversight
The uncertainty regarding the EDPS’s direction is increasing, as Wojciech Wiewiórowski, the current supervisor, faces competition for re-election. Some experts fear that a more Commission-aligned EDPS could undermine the independence of the authority in matters such as privacy in AI training or the use of personal data.
With hearings and votes for the new supervisor scheduled for January 2025, the use of Microsoft 365 and digital sovereignty are likely to take center stage in the debate.
The case underscores the delicate balance between ensuring data privacy and maintaining operational functionality within EU institutions.
via: euroActive and EDPS