MICROSOFT 365 and no end in sight
The “long-running issue” of Microsoft 365 continues to keep data protection supervisory authorities busy. The European Data Protection Supervisor (EDPS), the independent supervisory authority responsible for the EU institutions and bodies, has now spoken out.
In a decision dated March 11, 2024 (https://www.edps.europa.eu/press-publications/press-news/press-releases/2024/european-commissions-use-microsoft-365-infringes-data-protection-law-eu-institutions-and-bodies_en), the EDPS instructed the EU Commission until December 9, 2024 to:
- suspend all data flows resulting from the use of Microsoft 365 to Microsoft and its affiliates and sub-processors in countries outside the EU/EEA that are not covered by an adequacy decision; and
- bring the processing operations resulting from the use of Microsoft 365 into compliance with Regulation (EU) 2018/1725.
The decision of the EDPS is not based on the GDPR, but on Regulation 2018/1725. This is the data protection law for EU institutions and bodies. However, the content of the regulation largely corresponds to the GDPR.
In the opinion of the EDPS, the Commission has not sufficiently examined and agreed which personal data is processed by Microsoft for which purposes and transferred to subcontractors.
In particular, the Commission was required to
- carry out a “transfer mapping” to determine which personal data is transferred to which recipients in which third countries, for which purposes and subject to which safeguards. This should also include onward transfers, i.e. the entire subcontractor chain used by Microsoft:
“appraise […] what personal data will be transferred to which recipients in which third countries and for which purposes, thereby […] obtaining the minimum information necessary to determine whether any supplementary measures are required to ensure the essentially equivalent level of protection […]“
The transfer of data to subcontractors in third countries without an adequate level of protection must be refrained from. - expressly determine which data is processed by Microsoft and for what purposes, taking into account the purpose limitation principle:
“sufficiently determine the types of personal data collected under the […] agreement concluded with Microsoft […] in relation to each of the purposes of the processing so as to allow those purposes to be specified and explicit; ensure that the purposes for which Microsoft is permitted to collect personal data [….] are specified and explicit; provide sufficiently clear documented instructions for the processing […]“.
It must be transparently regulated which data is agreed for which purposes. This processing must, of course, be lawful. In particular, clear and detailed regulations should ensure that Microsoft’s data is really only used on behalf of the Commission.
The points of criticism of the EDPS correspond in part to the criticism of the German supervisory authorities, which was last published in the “Evaluation of the current agreement on commissioned processing” of 2.11.2022 (https://www.datenschutzkonferenz-online.de/media/dskb/2022_24_11_festlegung_MS365_abschlussbericht.pdf). It remains to be seen what practical consequences the EDPS’s decision will have for German companies and whether the German supervisory authorities will take the decision as an opportunity to tighten up their own auditing practices.