Topics
later
AI
Amazon
Image Credits:Jean-Luc Ichard / Getty Images
Apps
Biotech & Health
mood
Image Credits:Jean-Luc Ichard / Getty Images
Cloud Computing
Commerce
Crypto
Enterprise
EVs
Fintech
Fundraising
Gadgets
Gaming
Government & Policy
Hardware
Layoffs
Media & Entertainment
Meta
Microsoft
Privacy
Robotics
certificate
Social
Space
Startups
TikTok
Transportation
Venture
More from TechCrunch
Events
Startup Battlefield
StrictlyVC
newssheet
Podcasts
Videos
Partner Content
TechCrunch Brand Studio
Crunchboard
Contact Us
A lengthy probe into the European Union ’s use of Microsoft 365 has found the Commission breached the axis ’s data protection dominate through its use of the swarm - based productiveness software .
Announcing its decision in apress releasetoday , the European Data Protection Supervisor ( EDPS ) state the Commission infringed “ several primal data trade protection rules when using Microsoft 365 ” .
“ The Commission did not sufficiently specify what case of personal data point are to be collected and for which explicit and specified purposes when using Microsoft 365 , ” the data supervisory program , Wojciech Wiewiórowski , wrote , adding : “ The Commission ’s violation as data point controller also relate to data processing , include transfer of personal data point , carry out on its behalf . ”
The EDPS has imposed corrective measure call for the Commission to address the compliance problems it has discover by December 9 2024 , assuming it continue to use Microsoft ’s cloud retinue .
Microsoft and the Commission were meet for a response to the EDPS ’ findings . But at the time of writing neither had respond .
The regulator , which oversee ’ EU innovation ’ compliance with data protection rules , opened a investigation of the Commission ’s use of Microsoft 365 and other U.S. cloud servicing back inMay 2021 .
At issue is how Microsoft processes the data point of users of its cloud service . EU regulators havebeen flag concerns about thisfor eld , including in relation to the legal basis Microsoft claims for processing data ; a lack of clearness and precision in the wording of its contracts for the product ; and no expert precaution being applied to insure data is only being used for providing and preserve the help .
Join us at TechCrunch Sessions: AI
Exhibit at TechCrunch Sessions: AI
When the EDPS start the investigation there was also no data transfer agreement in place between the bloc and the U.S. , following the striking down of the EU - U.S. Privacy Shield inJuly 2020 .
A new transatlantic data transfer agreement was later agreed and embrace , thee years later ( July 2023 ) . But for much of the period the EDPS was investigating the Commission ’s exercise of Microsoft 365 there was no sight in place embrace data transfers from the EU to the U.S. Yet use of Microsoft 365 routinely result in data run back to Microsoft ’s servers in the U.S.
On datum transfers , the EDPS found the Commission conk out to control adequate precaution were apply to these information exportation to ensure basically equivalent protection for data were in station once it left the bloc .
The data executive program has ordered the Commission to suspend all data point menstruation resulting from its use of Microsoft 365 to Microsoft and its affiliates and submarine - processors settle in countries outside the EU / EEA not cover by an EU sufficiency decisiveness on data transferral — again , with a deadline of December 9 for this .
It has also been order to carry out a information transference - mapping exercise — identifying “ what personal data point are transferred to which recipients in which third body politic , for which purposes and open to which safeguards , include an onward transfer ” . It must also ensure all transfers to non - EU land without an sufficiency decision take place “ solely to allow job within the competency of the control to be carried out ” .
More loosely , the EDPS ’ corrective measures require the Commission to fix its declaration with Microsoft — to insure they hold in the necessary contractual provisions , organisational measures and/or technical measures to ensure personal data is only collected for denotative and delineate purposes ; and “ sufficiently determine ” in relation to the purpose for which they are swear out .
datum must also only be processed by Microsoft or its affiliates or Italian sandwich - processors “ on the Commission ’s documented pedagogy ” , per the order of magnitude — unless it select place within the region and processing is for a purpose that complies with EU or Member State law ; or , if outside the region to be processed for another purpose under third - land law there must be basically tantamount protective cover apply .
The contracts must also ensure there is no further processing of data — i.e. use beyond the original purpose for which data is collected .
The EDPS found the Commission run afoul the “ purpose limitation ” principle of applicable data point protection rules by failing to sufficiently determine the character of personal data point collected under the licensing agreement it concluded with Microsoft Ireland , mean it was unable to insure these were specific and expressed .
The EU also fail to provide sufficiently clear documented instructions to Microsoft regarding the processing ; failed to ensure its processing was specify by instruction ; and failed to tax the conformity of Microsoft ’s further processing with the purpose initially stated for the collection , among other violations of the rule the EDPS identify .
Commenting in a statement , Wiewiórowski compose :
It is the responsibleness of the EU establishment , bodies , spot and agencies ( EUIs ) to ensure that any processing of personal datum outside and inside the EU / EEA , including in the context of swarm - ground avail , is keep company by full-bodied data point protection safeguards and measures . This is imperative to ensure that person ’ information is protect , as require by Regulation ( EU ) 2018/1725 , whenever their data is processed by , or on behalf of , an EUI .
Over the last few age , Microsoft has responded to amped up EU regulatory risk attached to data transfers by expanding adata location effort focused on regional swarm client — in an substructure it ’s branded the “ EU Data Boundary for the Microsoft Cloud ” . However the technical infrastructure is still in the operation of being rolled out . It also remains porous by design , with some data set to remaining approachable outside the EU even when the rollout is slated to be completed at the remainder of this year , per Microsoft .
Update : The Commission confirmed reception of the EDPB ’s decision and said it will need to analyze the reasoning “ in point ” before get any decision on how to proceed . In a series of statement during apress briefing , it expressed confidence that it complies with “ the applicable data protection rules , both in fact and in law ” . It also said “ various improvement ” have been made to declaration , with the EDPS , during its investigating .
“ We have been cooperating amply with the EDPS since the start of the probe , by providing all relevant text file and information to the EDPS and by following up on the take that have been set up in the course of the investigating , ” it said . “ The Commission has always been ready to implement , and thankful for receiving , any substantiated recommendation from the EDPS . Data protection is a top precedence for the Commission . ”
“ The Commission has always been full committed to ensuring that its exercise of Microsoft M365 is compliant with the applicable data protection rules and will carry on to do so . The same applies to all other software program acquired by the Commission , ” it went on , further observe : “ novel data protection rule for the EU institutions and bodies arrive into military unit on 11 December 2018 . The Commission is actively pursuing ambitious and dependable sufficiency frameworks with international collaborator . The Commission applies those rules in all its cognitive operation and contract , include with case-by-case companionship such as Microsoft . ”
While the Commission ’s public statements reiterated that it ’s attached to compliance with its effectual obligations , it also lay claim that “ compliance with the EDPS conclusion unfortunately seems potential to undermine the current in high spirits spirit level of mobile and structured IT service ” .
EU body ’ use of US swarm servicing from AWS , Microsoft being probed by bloc ’s privacy top dog
Microsoft 365 faces darkening GDPR abidance clouds after German account
EU declaration with Microsoft resurrect ‘ serious ’ data point worry , aver watchdog
