European Commission’s use of Microsoft software ‘breached privacy rules’
The EU privacy watchdog had ordered the commission to halt data transfer to the US company
11 March 2024 - 17:13
byFoo Yun Chee
Support our award-winning journalism. The Premium package (digital only) is R30 for the first month and thereafter you pay R129 p/m now ad-free for all subscribers.
Brussels — The European Commission’s use of Microsoft software breached EU privacy rules and the bloc’s executive also failed to implement adequate safeguards for personal data transferred to non-EU countries, the EU privacy watchdog said on Monday.
The European Data Protection Supervisor (EDPS) ordered the commission to take measures to comply with privacy rules and to halt data transfer to the US company and subsidiaries located in third countries which do not have privacy deals with the EU, setting a deadline of December 9 for both orders.
The EDPS's decision followed a three-year probe triggered by worries about the transfer of personal data to the US after revelations in 2013 by former US intelligence contractor Edward Snowden of mass US surveillance.
“The commission has failed to provide appropriate safeguards to ensure that personal data transferred outside the EU/EEA [European Economic Area] are afforded an essentially equivalent level of protection as guaranteed in the EU/EEA,” the watchdog said in a statement.
The EEA is made up of the 27 EU countries and Iceland, Liechtenstein and Norway.
“In its contract with Microsoft, the commission did not sufficiently specify what types of personal data is to be collected and for which explicit and specified purposes when using Microsoft 365,” the EDPS said.
Microsoft 365 is the product suite that includes Word documents, Excel spreadsheets, PowerPoint presentations and Outlook emails.
The data protection authority ordered the commission to suspend all data flows resulting from its use of Microsoft 365 to the company and its affiliates and sub-processors located in countries outside Europe that are not covered by an adequacy decision.
The EU has data adequacy agreements with 16 countries, including Argentina, Japan, South Korea, Switzerland, Britain and the US.
The commission did not immediately respond to a request for comment.
Microsoft said it would review the EDPS’ decision and work with the EU executive to address the concerns.
“Concerns raised by the EDPS relate largely to stricter transparency requirements under the EUDPR, a law that applies only to the EU institutions,” a spokesperson said.
The EU executive was also told to take measures to ensure that its use of Microsoft 365 complied with privacy rules.
Support our award-winning journalism. The Premium package (digital only) is R30 for the first month and thereafter you pay R129 p/m now ad-free for all subscribers.
European Commission’s use of Microsoft software ‘breached privacy rules’
The EU privacy watchdog had ordered the commission to halt data transfer to the US company
Brussels — The European Commission’s use of Microsoft software breached EU privacy rules and the bloc’s executive also failed to implement adequate safeguards for personal data transferred to non-EU countries, the EU privacy watchdog said on Monday.
The European Data Protection Supervisor (EDPS) ordered the commission to take measures to comply with privacy rules and to halt data transfer to the US company and subsidiaries located in third countries which do not have privacy deals with the EU, setting a deadline of December 9 for both orders.
The EDPS's decision followed a three-year probe triggered by worries about the transfer of personal data to the US after revelations in 2013 by former US intelligence contractor Edward Snowden of mass US surveillance.
“The commission has failed to provide appropriate safeguards to ensure that personal data transferred outside the EU/EEA [European Economic Area] are afforded an essentially equivalent level of protection as guaranteed in the EU/EEA,” the watchdog said in a statement.
The EEA is made up of the 27 EU countries and Iceland, Liechtenstein and Norway.
“In its contract with Microsoft, the commission did not sufficiently specify what types of personal data is to be collected and for which explicit and specified purposes when using Microsoft 365,” the EDPS said.
Microsoft 365 is the product suite that includes Word documents, Excel spreadsheets, PowerPoint presentations and Outlook emails.
The data protection authority ordered the commission to suspend all data flows resulting from its use of Microsoft 365 to the company and its affiliates and sub-processors located in countries outside Europe that are not covered by an adequacy decision.
The EU has data adequacy agreements with 16 countries, including Argentina, Japan, South Korea, Switzerland, Britain and the US.
The commission did not immediately respond to a request for comment.
Microsoft said it would review the EDPS’ decision and work with the EU executive to address the concerns.
“Concerns raised by the EDPS relate largely to stricter transparency requirements under the EUDPR, a law that applies only to the EU institutions,” a spokesperson said.
The EU executive was also told to take measures to ensure that its use of Microsoft 365 complied with privacy rules.
Reuters
Would you like to comment on this article?
Sign up (it's quick and free) or sign in now.
Please read our Comment Policy before commenting.
Most Read
Published by Arena Holdings and distributed with the Financial Mail on the last Thursday of every month except December and January.