The European Commission infringed data protection rules within its own jurisdiction, according to an investigation by the European Data Protection Supervisor (EPDS).
The European Commission reportedly infringed rules through its management of Microsoft 365 data. The EDPS found the Commission had broken a number of key provisions, including the “EU’s data protection law for EU institutions, bodies, offices, and agencies.”
Perhaps most notably, the Commission breached provisions for managing the safe transferral of personal data outside the EU or European Economic Area (EEA).
The EDPS found it failed to provide “appropriate safeguards” to ensure that personal data transferred outside of the EU or EEA was afforded an “essentially equivalent level of protection as guaranteed in the EU/EEA.”
According to the privacy watchdog, the Commission also failed to clearly specify what type of personal data was to be collected and for what purposes it was to be collected when using Microsoft 365.
Several infringements concerned “all processing operations” carried out by the Commission when using Microsoft 365, and a “large number of individuals” were therefore affected.
“It is the responsibility of the EU institutions, bodies, offices and agencies (EUIs) to ensure that any processing of personal data outside and inside the EU/EEA, including in the context of cloud-based services, is accompanied by robust data protection safeguards and measures,” said Wojciech Wiewiórowski of the EDPS.
The European Commission’s role as a data controller also formed part of the inquiry, with the investigation extending to data processing and personal data transfers carried out on the commissions behalf.
The European Commission will face penalties
On the basis of this investigation’s results, the EDPS has ordered the Commission to suspend all the data flows to Microsoft and its affiliates or sub-processors outside of the EU that result from the use of Microsoft 365.
The EU watchdog will also order the Commission to bring its Microsoft 365 processing operations “into compliance with Regulation (EU) 2018/1725.” The Commission must comply with both these orders by 9 December 2024.
“The EDPS considers that the corrective measures it imposes … are appropriate, necessary and proportionate in light of the seriousness and duration of the infringements found,” the watchdog said.
Noting the important public role of the Commission, however, the EDPS did note that it would look to avoid compromising the Commission’s ability to “carry out its tasks in the public interest.”