The European Data Protection Supervisor (EDPS) has determined that the European Commission, the executive arm of the European Union renowned for its stringent tech company investigations, has itself breached the EU's stringent data protection regulations. This verdict emerged following an inspection into the Commission's engagement with Microsoft 365, uncovering inadequacies in the observance of personal data protection statutes.
Specific Violations and Required Actions
At the core of the violation is the Commission's failure to detail the types of personal data accumulated and the precise objectives for its collection within the Microsoft 365 service framework. Furthermore, the evaluation highlighted a significant oversight in ensuring data transferred outside the European Union by Microsoft received equivalent protection levels mandated within EU borders. The EDPS has now issued a directive to the European Commission, necessitating the implementation of corrective measures by December 9, 2024, to restore compliance with EU data protection laws.
Ongoing Scrutiny and Unresolved Issues
This development adds a layer of complexity to the already intricate relationship between the European Commission and Microsoft. In July 2023, the Commission initiated an inquiry into Microsoft 365 upon Salesforce's claim, dating back to 2020, that Microsoft breached EU competition policies by integrating its Teams video conferencing application with the Microsoft 365 suite. In a move to address these concerns, Microsoft announced its decision to detach Teams and offer it as an independent service within the EU and Switzerland starting October 1, 2023. Despite this, there remain unverified suggestions that the Commission views these efforts as insufficient. The duration and outcome of the Commission's investigation into Microsoft 365 and Teams remain uncertain, including any prospective sanctions against Microsoft for non-compliance.
