European Commission violated data protection rules when using Microsoft 365

2024: Data Protection Violation with Microsoft 365

The European Data Protection Watchdog (EDPS) has determined that the European Commission violated data protection rules when using Microsoft 365 cloud software. This was announced on March 13, 2024 by the press service of the State Duma deputy RFAnton Nemkin.

The European regulator demanded to eliminate the identified violations until December 2024, and also ordered to suspend the transfer of data to Microsoft 365, which is used outside the EU zone. In addition, the supervisory authority announced the need to make adjustments to contracts with Microsoft.

According to EDPS, the European Commission collected and processed personal data without specifying their types and purposes of use. At the same time, when transferring data outside the EU, proper guarantees of information protection were not established. It is assumed that the restrictions imposed by the regulator will be in effect until the appropriate protective measures are provided.

In its contract with Microsoft, the European Commission did not clearly indicate what types of personal data should be collected and for what explicit and agreed purposes when using Microsoft 365, the regulator said in a statement.

The EDPS stressed that the obligation to ensure reliable measures to protect personal data when processing it in cloud services lies with the EU authorities. The Microsoft has not yet comment on the results of the investigation.

In a broader sense, there is a reaction to the exposure of mass surveillance of American special services both for ordinary citizens and for representatives of various states, he said.

But so far, the measures taken look rather soft. In fact, this approach is unlikely to contribute to a real resolution of the problem of the threat to information security. For example, you cannot be sure that information is not collected, for example, in the background, "he said.

In fact, we are talking about import substitution, which is at an active pace in our country. There is always a risk that foreign vendors will be affiliated with another state. Especially when it comes to the United States, which has been involved in such scandals more than once, the deputy emphasized.

Next in line is a full-fledged transition to office programs of domestic vendors, - said the deputy.

Some EU countries have long been focused on developing their own software in critical industries. But Microsoft is unlikely to allow the loss of this market, too, the parliamentarian concluded.