On March 25, 2024, the European Data Protection Supervisor (EDPS) published its full decision in Case 2021-0518 of March 8, 2024, regarding the European Commission's use of Microsoft 365, provided by Microsoft Ireland Operations Limited, in violation of the data protection law for EU institutions and bodies (Regulation (EU) 2018/1725) (the Regulation), following an investigation. This follows the initial publication of a press release on the decision on March 11, 2024.

Background to the decision

The EDPS clarified that it initiated its investigation into the Commission's use of Microsoft 365 following the Data Protection Commissioner v. Facebook Ireland Limited, Maximillian Schrems (C-311/18) (the Schrems II Case). In addition, the EDPS noted that the investigation was part of the 2022 Coordinated Enforcement Action of the European Data Protection Board (EDPB).

Findings of the EDPS

The EDPS found that the Commission failed to limit the processing of personal data to the stated purposes of processing. Specifically, the EDPS found the Commission to have violated:

• Article 4(1)(b) of the Regulation for failing to sufficiently determine the types of personal data collected in relation to each of the purposes of the processing, and ensure that the purpose for which Microsoft is permitted to collect data is specified under the Institutional Licensing Agreement of May 7, 2021 (the ILA);
• Article 29(3)(a) of the Regulation by insufficiently determining in the ILA, which types of personal data are to be processed for which purposes;
• Articles 4(2) and 26(1) of the Regulation in conjunction with Article 30 of the Regulation by failing to ensure Microsoft processed personal data to provide its services only on documented instructions;
• Article 6 of the Regulation by failing to assess whether the purposes for processing are compatible with the purposes for which the data was initially collected; and
• Article 9 of the Regulation by failing to assess whether it was necessary and proportionate to transmit the personal data to Microsoft Ireland and its subprocessors located in the EEA for a specific purpose in the public interest.

In addition, the EDPS found that the Commission's use of Microsoft 365 was in violation of the Regulation with regard to international data transfers. This includes violations of:

• Article 29(3)(a) of the Regulation for failing to clearly provide in the ILA, what types of personal data can be transferred to which recipients in which third country, and for which purposes;
• Articles 4(2), 46, and 48 of the Regulation by failing to provide appropriate safeguards ensuring that personal data transferred enjoys an essentially equivalent level of protection to that in the EEA;
• Articles 4(2), 46, 48(1), and 48(3)(a) of the Regulation by concluding Standard Contractual Clauses (SCCs) without clearly mapping the proposed transfers, conducting a transfer impact assessment, and failing to obtain authorization for the SCCs from the EDPS as required by Article 48(3)(a) of the Regulation; and
• Article 47(1) of the Regulation by failing to ensure the data transfers take place solely to allow tasks within the competence of the controller to be carried out.

Finally, the EDPS also considered the Commission's use of Microsoft 365 to result in unauthorized disclosures of personal data. This includes violations of:

• Article 29(3)(a) of the Regulation by not ensuring that, for personal data processed in the EEA, only EU or Member State law prohibits notification to the Commission of a request for disclosure; and
• Articles 4(1)(f), 33(1), 33(2), and 36 of the Regulation by not assessing the legislation of all third countries to which personal data may be envisaged to be transferred, under the ILA and failing to implement effective technical and organizational measures that would ensure processing in accordance with the principle of integrity and confidentiality.

Outcomes

In light of the above, the EDPS issued a reprimand to the Commission and imposed the following corrective measures, among others, requiring that the Commission:

• suspend, with effect from December 9, 2024, all data flows resulting from its use of Microsoft 365 to Microsoft and to its affiliates and sub-processors, located outside the EU/EEA, not covered by an adequacy decision;
• bring, by December 9, 2024, the processing operations resulting from the use of Microsoft 365 into compliance with the Regulation;
• ensure, by way of contractual provisions, that personal data is collected for explicit and specified purposes, the types of personal data are sufficiently determined in relation to the purpose, and any processing carried out by Microsoft, its affiliates, or subprocessors is only carried out on the Commission's documented instructions;
• ensure that all transfers take place solely to allow tasks within the competence of the controller; and
• carry out a transfer mapping exercise identifying what personal data are transferred to which recipients in which third countries.

You can read the press release here and the decision here.