The impact of the Microsoft data breach on EU users

How did the EU's use of Microsoft 365 violate data protection rules?

A detailed look at how the European Union uses Microsoft 365 has revealed that the Commission has breached the group's data protection guidelines by using this cloud-based software.

Today, the European Data Protection Supervisor (EDPS) shared its findings in a press release, stating that the Commission violated “several important data protection rules when using Microsoft 365.”

Data supervisor Wojciech Wiewiorowski explained: “The Commission did not clearly describe what types of personal data would be collected and for what specific reasons when using Microsoft 365.” He also noted that the Commission’s breaches as a data controller include how personal data is processed and transferred on its behalf.

The EDPS has set a deadline for the Commission to fix the compliance issues it found by 9 December 2024, provided that the Commission continues to use the Microsoft cloud suite.

Microsoft and the Commission were asked for their views on the EDPS's findings, but neither had responded at the time of writing.

The regulator, responsible for ensuring EU institutions follow data protection rules, began investigating the Commission's use of Microsoft 365 and other US cloud services in May 2021.

The concern revolves around how Microsoft handles user data from its cloud service. EU regulators have been raising the alarm about this for several years, specifically about the legal reasons why Microsoft says it uses the data, unclear language in its contracts and the absence of technical measures to ensure that the data is only used to provide and maintain the service.

When the EDPS started investigating the matter, there was no agreement for data transfers between the European Union and the United States, as the EU-US agreement did. The Privacy Shield had been invalidated in July 2020.

A new agreement on transatlantic data transfers was eventually reached and came into force three years later in July 2023. However, for most of the time the EDPS was investigating how the Commission was using Microsoft 365, there was still no agreement in place to handle data transfers from the EU to the US. This is worrying because using Microsoft 365 often means data is sent back to Microsoft servers in the US.

The EDPS found that the Commission did not provide sufficient protection for the data being exported, meaning that the level of protection for this data was not equivalent to what it would receive in the EU.

As a result, the data watchdog has ordered the Commission to halt all data transfers arising from its use of Microsoft 365 to Microsoft and its partners in countries outside the EU/EEA that do not have an EU adequacy decision for data transfers, with a deadline set for 9 December.

In addition, the Commission has been asked to carry out a mapping exercise to clarify which personal data is sent to which recipients in other countries, for what reasons and what safeguards are in place, including any further transfers. It should also ensure that any transfer of data to non-EU countries without an adequacy decision occurs only for necessary tasks within the responsibilities of the controller.

In a broader context, the EDPS has asked the Commission to update its contracts with Microsoft to ensure that they include all the required legal clauses, organisational steps and technical measures. This is to ensure that personal data is only collected for clear and specific reasons, and that those reasons are well defined when it comes to how the data is processed.

According to the order, Microsoft and its subsidiaries or subprocessors may only handle data based on clear instructions from the Commission. If processing takes place in the region, it must follow EU or Member State laws. If it takes place outside the region, data must be processed under the laws of a third country that offers similar levels of protection.

Contracts should also state that the data cannot be used for any reason other than the original purpose for which it was collected.

The EDPS noted that the Commission failed to respect the “purpose limitation” rule, which is a key part of data protection rules. They did not clearly identify what personal data was being collected under the licensing agreement with Microsoft Ireland, which prevented them from ensuring that the data was clearly defined and specific.

Furthermore, the EU did not give Microsoft clear instructions on how to process the data, did not limit processing in accordance with those instructions, and did not verify whether Microsoft's subsequent use of the data matched the initial purpose for which it was collected. These are just some of the violations of the rules observed by the EDPS.

In a statement, Wiewiorowski stressed:

It is essential that EU institutions, bodies, offices and agencies ensure that any handling of personal data, whether within or outside the EU/EEA and especially in cloud services, follows strict data protection measures. This is vital to safeguard individuals’ information as required by Regulation (EU) 2018/1725 whenever their data is processed by or on behalf of an EUI.

In recent years, Microsoft has taken steps to address growing concerns from EU regulations regarding data transfers. They launched an initiative to keep data localized, particularly for cloud customers in the region, called «EU data cap for Microsoft cloud». However, this technical setup is still being implemented.

Microsoft said some data will continue to be used outside the EU, though they plan to complete the announcement by the end of the year. They need to carefully examine why. They said at a press conference that they are confident they will comply with both practical and legal data protection laws.

They also said they had made “a number of improvements” to their contract with the EDPS over the course of the investigation. There are questions. The Commission confirmed that it is ready to implement the EDPS recommendations and stressed that data protection is its top priority.

«The Commission is dedicated to ensuring that your use of Microsoft M365 follows data protection rules, and this commitment extends to all other software you purchase», they mentioned. They went on to say: “New data protection rules for EU institutions and bodies came into force on 11 December 2018. The Commission is working hard to establish robust and secure frameworks for working with international partners. These rules guide all our processes and contracts, including those with companies like Microsoft.”

While the Commission has publicly underlined its dedication to meeting legal requirements, it also expressed concern that "following the EDPS decision may negatively affect the current level of mobile and integrated IT services."

“This situation could affect not only Microsoft but also other commercial IT services. However, we need to carefully review the results of the decision and the reasons behind them. We cannot comment further until our analysis is complete.”, they added.