The European Commission failed to safeguard the transfer of data being sent through the M365 app from the EU to other regions. Credit: Shutterstock The European Commission (EC) has violated several key data protection rules in its use of Microsoft 365 regarding the transfer of people’s personal data from Europe to other regions not covered by EU data-protection laws, a key European privacy watchdog found. The European Data Protection Supervisor (EDPS) on Tuesday chastized the EC after finding it did not take proper protective measures when sending personal data outside the EU and European Economic Area (EEA) when using the cloud-based app. In addition, the EC failed to specify in its contract with Microsoft “what types of personal data are to be collected and for which explicit and specified purposes when using Microsoft 365,” according to an EDPS statement. The findings — the result of a three-year investigation that began in 2021 — suggest like tech giants, even trusted government entities that should have data privacy as a top priority don’t necessarily keep the data they collect safe. “It is the responsibility of the EU institutions, bodies, offices, and agencies (EUIs) to ensure that any processing of personal data outside and inside the EU/EEA, including in the context of cloud-based services, is accompanied by robust data protection safeguards and measures,” EDPS Supervisor Wojciech Wiewiórowski said in a statement. Compliance required Specifically, the EC violated Regulation (EU) 2018/1725, the EU’s data protection law for EUIs. Moreover, many of the infringements concern “all processing operations carried out by the Commission, or on its behalf, when using Microsoft 365,” affecting “a large number of individuals,” according to the EDPS. As a result, the EDPS has ordered the commission to suspend all data flows resulting from its use of Microsoft 365 not only to Microsoft, but also to its affiliates and sub-processors located in countries outside the EU/EEA that don’t have an adequacy agreement with the EC. Typically, these agreements — which the EC has with various regions — dictate how the transfer of personal data is handled once it leaves the EU. This is to ensure that the data is protected under EU laws even when sent to another country where data-privacy laws differ. The EU has data adequacy agreements with 16 countries, including Argentina, Japan, South Korea, Switzerland, the UK, and the US. Aware that suspending a large number of data flows is complicated, the watchdog is giving the commission “appropriate time” to comply with the suspension so as not “to compromise the Commission’s ability to carry out its tasks in the public interest or to exercise official authority,” the EDPS said. Further, the EC has until Dec. 9 to demonstrate to the EDPS that all processing operations resulting from its use of Microsoft 365 are in compliance with Regulation (EU) 2018/1725. Is secure data a myth? Even the required compliance ultimately “might not change anything” unless it’sbacked “with either continuous enforcement or requirements on a more granular disclosure/audit,” said Narayana Pappu, CEO at Zendata, a provider of data security and privacy compliance solutions. That’s because securing data once it’s been transferred via the Internet — whether it’s collected by government entities, social-media companies, or online applications — is difficult, despite well-meaning attempts at regulation and protection by various regulatory bodies. “It is difficult to truly understand what happens with data once it’s collected,” Pappu said. The scenario becomes even more complicated with cloud-based applications, which “follow a microservice architecture with tens and even hundreds of third-party subprocessors,” he said. “It is difficult to really evaluate what is going on with the data and how it is being used.” Moreover, sometimes an entity collecting data online doesn’t even know the data is being shared, he said, citing a case in which DuckDuckGo, the search platform that prides itself on privacy, was unknowingly sharing information with Microsoft. “This was not obvious in their disclosures and did not come up until an investigation by a web expert,” Pappu said. Related content news analysis EU commissioner slams Apple Intelligence delay Margrethe Vestager, Europe's chief gatekeeper, takes a shot at Apple's decision to delay rolling out the company's AI. By Jonny Evans Jun 28, 2024 7 mins Regulation Apple Generative AI how-to Download our unified communications as a service (UCaaS) enterprise buyer’s guide Does your phone system date back to the last century? If so, you’re missing out on new technologies that can increase productivity and support a more distributed workforce. That’s where unified communications as a service, or UCaaS, comes By Andy Patrizio Jun 28, 2024 1 min Unified Communications Enterprise Buyer’s Guides Cloud Computing feature Enterprise buyer’s guide: Android smartphones for business Security is the biggest — but not only — factor when deciding what Android devices to support in your enterprise. See how Google, Honor, Huawei, Infinix, Itel, Motorola, Nokia, OnePlus, Oppo, Realme, Samsung, Tecno, Vivo, and Xiaomi stack By Galen Gruman Jun 28, 2024 23 mins Google Samsung Electronics Smartphones news Box announces upgrade to Box AI, integration with GPT-4o Box needed its own generative AI function to retain market share, says analyst. By Paul Barker Jun 27, 2024 4 mins Box Generative AI Collaboration Software Podcasts Videos Resources Events SUBSCRIBE TO OUR NEWSLETTER From our editors straight to your inbox Get started by entering your email address below. Please enter a valid email address Subscribe