The “long-running issue” of Microsoft 365 continues to keep data protection supervisory authorities busy. The European Data Protection Supervisor (EDPS), the independent supervisory authority responsible for the EU institutions and bodies, has now spoken out.
In a decision dated March 11, 2024 (https://www.edps.europa.eu/press-publications/press-news/press-releases/2024/european-commissions-use-microsoft-365-infringes-data-protection-law-eu-institutions-and-bodies_en), the EDPS instructed the EU Commission until December 9, 2024 to:
- suspend all data flows resulting from the use of Microsoft 365 to Microsoft and its affiliates and sub-processors in countries outside the EU/EEA that are not covered by an adequacy decision; and
- bring the processing operations resulting from the use of Microsoft 365 into compliance with Regulation (EU) 2018/1725.
The decision of the EDPS is not based on the GDPR, but on Regulation 2018/1725. This is the data protection law for EU institutions and bodies. However, the content of the regulation largely corresponds to the GDPR.
In the opinion of the EDPS, the Commission has not sufficiently examined and agreed which personal data is processed by Microsoft for which purposes and transferred to subcontractors.
In particular, the Commission was required to
- carry out a “transfer mapping” to determine which personal data is transferred to which recipients in which third countries, for which purposes and subject to which safeguards. This should also include onward transfers, i.e. the entire subcontractor chain used by Microsoft:
“appraise […] what personal data will be transferred to which recipients in which third countries and for which purposes, thereby […] obtaining the minimum information necessary to determine whether any supplementary measures are required to ensure the essentially equivalent level of protection […]“
The transfer of data to subcontractors in third countries without an adequate level of protection must be refrained from. - expressly determine which data is processed by Microsoft and for what purposes, taking into account the purpose limitation principle:
“sufficiently determine the types of personal data collected under the […] agreement concluded with Microsoft […] in relation to each of the purposes of the processing so as to allow those purposes to be specified and explicit; ensure that the purposes for which Microsoft is permitted to collect personal data [….] are specified and explicit; provide sufficiently clear documented instructions for the processing […]“.
It must be transparently regulated which data is agreed for which purposes. This processing must, of course, be lawful. In particular, clear and detailed regulations should ensure that Microsoft’s data is really only used on behalf of the Commission.
The points of criticism of the EDPS correspond in part to the criticism of the German supervisory authorities, which was last published in the “Evaluation of the current agreement on commissioned processing” of 2.11.2022 (https://www.datenschutzkonferenz-online.de/media/dskb/2022_24_11_festlegung_MS365_abschlussbericht.pdf). It remains to be seen what practical consequences the EDPS’s decision will have for German companies and whether the German supervisory authorities will take the decision as an opportunity to tighten up their own auditing practices.
The European Commission published the draft Data Act on February 23, 2022. The Data Act draft regulates the provision of data by the data owner to the user, to third parties and to public bodies and includes legal frameworks for data access and data use. The background to the regulation is that there is currently no legal regulation on data sovereignty and all parties involved rely on voluntary exchange.
With the Data Act draft, the European Commission now wants to clarify who may commercially exploit data and under what conditions this takes place. In addition, special provisions are made for micro, small and medium-sized enterprises as well as so-called “gatekeepers”.
Basic content of the draft Data Act
The draft regulates the exchange of user-generated data between companies and between consumers and companies. Large parts of the data collected by companies and by consumers in connection with networked devices and digital services must in future be made technically and legally accessible to users, who can then pass the data on to third parties.
The regulations in the draft include, for example, product requirements for easy and secure data access (“access by design and by default”), pre-contractual information obligations and the need for a usage agreement between data owner and user, data access claims and provision obligations, as well as regulations on data transfer by the data owner to third parties at the instigation of the user. However, it also regulates requirements for corresponding consideration (e.g., fairness, appropriateness) and criteria for abusive contractual clauses in order to protect smaller companies.
In addition, there are to be regulations for the transfer of data to public bodies and EU institutions, bodies and other bodies in emergency situations.
The draft also stipulates that the European Commission should provide non-binding model contractual conditions for data access and use. The member states are then to issue corresponding regulations on sanctions in the event of violations.
Addressees of the draft Data Act
The Data Act draft applies to
- All manufacturers of products and providers of related services placed on the market in the EU and users of such products or services;
- data controllers who provide data to recipients in the EU;
- Data recipients in the EU to whom data is provided;
- public bodies and EU institutions, bodies and agencies;
Similar to the GDPR, the regulations are also intended to apply to companies based outside the EU if they provide relevant services to customers in the EU.
Outlook
The European Parliament and the Council have adopted their positions on the draft and, like the member states, are calling for various amendments. Further negotiations will focus in particular on the scope of application of the Data Act, ensuring the protection of trade secrets, remuneration issues and regulations on provider switching and protection against unfair contract terms. On March 29, 2023, the first trilogue took place. However, as the positions of the Council and Parliament are not too far apart, an agreement is generally expected before the summer break or shortly thereafter.