European Commission Violates GDPR Regulations
The European Commission has been given until December 9, 2024, to address data protection concerns in its use of Microsoft 365, following an investigation by the European Data Protection Supervisor (EDPS). The investigation, launched in May 2021, found several infringements in the Commission's use of the cloud service, which are in violation of EU data protection rules.
The EDPS identified several issues, including inadequate data security, unlawful international data transfers, and insufficient transparency regarding government access to data. To address these concerns, the EDPS imposed corrective measures to bring the Commission into compliance with EU data protection regulations.
Key measures include the suspension of all data flows to Microsoft and its sub-processors located in third countries outside the European Economic Area (EEA) that are not covered by an EU adequacy decision, until effective suspension can be demonstrated. The Commission was also required to conduct a transfer-mapping exercise to identify personal data transfers, recipients, involved third countries, purposes, and safeguards.
Other measures include ensuring purpose limitation by explicitly specifying the types of personal data processed and restricting Microsoft and its sub-processors to process data only on documented instructions and for specified public interest purposes. The Commission was also tasked with implementing technical and organisational measures jointly with Microsoft to reduce unauthorized data disclosures and to ensure that data processed outside the EEA meet an essentially equivalent level of protection.
Additionally, the Commission was required to update contractual provisions so that only EU or Member State law can require Microsoft or its sub-processors to omit notifications to the Commission regarding disclosure requests for personal data processed within the EEA or to disclose such data. Microsoft must inform the Commission about any foreign government access requests unless from EU or equivalent protection countries.
Following implementation and ongoing dialogue, the EDPS confirmed the Commission's compliance with the regulation by July 2025. However, Microsoft has acknowledged that it cannot fully guarantee protection of European data from legitimate access requests under US law, reflecting a broader unresolved tension between EU data protection standards and US extraterritorial surveillance laws.
The EDPS is an independent European Union body that monitors the protection of personal data in the EU. The Commission is required to ensure that all data processing resulting from its use of the Microsoft 365 suite is in compliance with the GDPR. The Schrems II decision, a ruling by the Court of Justice of the European Union that invalidated the Privacy Shield, a framework for data transfers from the EU to the US, also plays a role in these investigations.
The European Data Protection Committee (EDPC) has found shortcomings in the European Commission's use of Microsoft 365, and the Commission did not provide sufficient guarantees for data transfers outside the EU in the context of using Microsoft 365. The investigations aim to ensure compliance of these institutions with the requirements of the Schrems II decision, particularly regarding the transfer of personal data outside the European Union.
[1] European Data Protection Supervisor. (2024). Report on the European Commission's use of Microsoft 365. [2] European Data Protection Supervisor. (2024). Corrective measures addressed to the European Commission following the EDPS's findings. [3] European Data Protection Committee. (2024). Shortcomings found in the European Commission's use of Microsoft 365. [4] European Commission. (2025). Confirmation of compliance with the regulation following implementation and ongoing dialogue. [5] Microsoft Corporation. (2021). Statement on data protection concerns in the use of Microsoft 365 by the European Commission.
Photo credit: Christophe Licoppe, European Commission.
Read also:
- List of 2025's Billionaire Video Game Moguls Ranked by Fortune
- Transformation of Decarbonization Objectives in the Iron Ore Pellets Sector
- Condolences offered by Cuba for earthquake tragedy in Turkey
- Affordable, Multifunctional Storage Solution for Small-Scale Power Plants: Marstek Jupiter C Plus, Offering Energy Storage below 220 € per Kilowatt-hour, Now Available with a 100 € Discount for Each Set.
