A PYMNTS Company

EU Watchdog Orders European Commission to Cease Microsoft Data Transfers

 |  March 11, 2024

The European Commission’s utilization of Microsoft software has been deemed in violation of EU privacy regulations, announced the EU privacy watchdog on Monday. Additionally, the bloc’s executive body has been criticized for failing to implement adequate safeguards concerning the transfer of personal data to non-EU countries.

The European Data Protection Supervisor (EDPS) has issued a directive for the Commission to take immediate measures to adhere to privacy regulations and cease data transfers to Microsoft and its subsidiaries in third countries lacking privacy agreements with the EU. A deadline of December 9 has been set for compliance with both mandates, reported Reuters.

This decision by the EDPS follows a comprehensive three-year investigation triggered by concerns surrounding the transfer of personal data to the United States, particularly in the wake of revelations made in 2013 by former U.S. intelligence contractor Edward Snowden regarding extensive U.S. surveillance practices.

Related: Microsoft Offers To Charge For Teams In EU To Appease Watchdog

“The Commission has failed to provide appropriate safeguards to ensure that personal data transferred outside the EU/EEA are afforded an essentially equivalent level of protection as guaranteed in the EU/EEA,” stated the watchdog in an official statement. The European Economic Area (EEA) encompasses the 27 EU member states along with Iceland, Liechtenstein, and Norway.

The EDPS further highlighted deficiencies in the Commission’s contract with Microsoft, emphasizing a lack of specification regarding the types of personal data to be collected and for what explicit and specified purposes when utilizing Microsoft 365.

Microsoft 365, comprising Word documents, Excel spreadsheets, PowerPoint presentations, and Outlook emails, is the suite in question. Consequently, the data protection authority has ordered the Commission to suspend all data flows originating from its usage of Microsoft 365 to Microsoft and its affiliates and sub-processors situated in non-European countries lacking adequacy decisions.

Currently, the EU maintains data adequacy agreements with 16 countries, including Argentina, Japan, South Korea, Switzerland, Britain, and the United States.

Source: Reuters