The European Commission breached data protection rules within its own jurisdiction, according to an investigation by the European Data Protection Supervisor (EPDS).
The European Commission reportedly broke rules when handling Microsoft 365 data. The EDPS found that the Commission had violated a number of key provisions, including the “EU data protection law for institutions, bodies, offices and EU agencies”.
Perhaps most notably, the Commission breached provisions to manage the secure transfer of personal data outside the EU or European Economic Area (EEA).
The EDPS concluded that it had not provided “appropriate safeguards” to ensure that personal data transferred outside the EU or EEA received an “essentially equivalent level of protection to that guaranteed in the EU/EEA”.
According to the privacy watchdog, the Commission also did not clearly specify what type of personal data should be collected and for what purposes when using Microsoft 365.
Several infringements concerned “all processing operations” carried out by the Commission when using Microsoft 365 and therefore “a large number of people” were affected.
“It is the responsibility of the EU institutions, bodies, offices and agencies (EUI) to ensure that any processing of personal data outside and within the EU/EEA, including in the context of cloud-based services, is accompanied of solid data protection. safeguards and measures,” said Wojciech Wiewiórowski from the EDPS.
The role of the European Commission as a data controller was also part of the investigation, which extended to data processing and transfers of personal data carried out on behalf of the commission.
The European Commission will face sanctions
Based on the results of this investigation, the EDPS has ordered the Commission to suspend all data flows to Microsoft and its subsidiaries or subprocessors outside the EU resulting from the use of Microsoft 365.
The EU watchdog will also order the Commission to align its Microsoft 365 processing operations “with Regulation (EU) 2018/1725.” The Commission must comply with both orders by December 9, 2024.
“The EDPS considers that the corrective measures it imposes… are appropriate, necessary and proportionate in light of the seriousness and duration of the infringements found,” the watchdog said.
However, noting the important public role of the Commission, the EDPS noted that he would seek to avoid compromising the Commission's ability to “carry out its tasks in the public interest”.