A prolonged investigation into the European Union’s use of Microsoft 365 has discovered the Fee breached the bloc’s information safety guidelines by way of its use of the cloud-based productiveness software program.

Asserting its resolution in a press launch as we speak, the European Information Safety Supervisor (EDPS) mentioned the Fee infringed “a number of key information safety guidelines when utilizing Microsoft 365”.

“The Fee didn’t sufficiently specify what kinds of private information are to be collected and for which express and specified functions when utilizing Microsoft 365,” the information supervisor, Wojciech Wiewiórowski, wrote, including: “The Fee’s infringements as information controller additionally relate to information processing, together with transfers of non-public information, carried out on its behalf.”

The EDPS has imposed corrective measures requiring the Fee to handle the compliance issues it has recognized by December 9 2024, assuming it continues to make use of Microsoft’s cloud suite.

Microsoft and the Fee had been contacted for a response to the EDPS’ findings. However on the time of writing neither had responded.

The regulator, which oversees’ EU establishments’ compliance with information safety guidelines, opened a probe of the Fee’s use of Microsoft 365 and different US cloud companies again in Could 2021.

At subject is how Microsoft processes the information of customers of its cloud service. EU regulators have been flagging issues about this for years, together with in relation to the authorized foundation Microsoft claims for processing information; a scarcity of readability and precision within the wording of its contracts for the product; and no technical safeguards being utilized to make sure information is simply getting used for offering and sustaining the service.

When the EDPS opened the investigation there was additionally no information switch settlement in place between the bloc and the US, following the putting down of the EU-US Privateness Defend in July 2020.

A brand new transatlantic information switch settlement was subsequently agreed and adopted, thee years later (July 2023). However for a lot of the interval the EDPS was investigating the Fee’s use of Microsoft 365 there was no deal in place overlaying information transfers from the EU to the US. But use of Microsoft 365 routinely leads to information flowing again to Microsoft’s servers within the US.

On information transfers, the EDPS discovered the Fee failed to make sure enough safeguards had been utilized to those information exports to make sure basically equal protections for information had been in place as soon as it left the bloc.

The information supervisor has ordered the Fee to droop all information flows ensuing from its use of Microsoft 365 to Microsoft and its associates and sub-processors situated in nations outdoors the EU/EEA not lined by an EU adequacy resolution on information transfers — once more, with a deadline of December 9 for this.

It has additionally been ordered to hold out a knowledge transfer-mapping train — figuring out “what private information are transferred to which recipients wherein third nations, for which functions and topic to which safeguards, together with an onward transfers”. It should additionally guarantee all transfers to non-EU nations with out an adequacy resolution happen “solely to permit duties throughout the competence of the controller to be carried out”.

Extra broadly, the EDPS’ corrective measures require the Fee to repair its contracts with Microsoft — to make sure they include the mandatory contractual provisions, organizational measures and/or technical measures to make sure private information is simply collected for express and specified functions; and “sufficiently decided” in relation to the needs for which they’re processed.

Information should additionally solely be processed by Microsoft or its associates or sub-processors “on the Fee’s documented directions”, per the order — except it takes place throughout the area and processing is for a goal that complies with EU or Member State regulation; or, if outdoors the area to be processed for one more goal beneath third-country regulation there should be basically equal safety utilized.

The contracts should additionally guarantee there is no such thing as a additional processing of knowledge — i.e. makes use of past the unique goal for which information is collected.

The EDPS discovered the Fee infringed the “goal limitation” precept of relevant information safety guidelines by failing to sufficiently decide the kinds of private information collected beneath the licensing settlement it concluded with Microsoft Eire, that means it was unable to make sure these had been particular and express.

The EU additionally failed to offer sufficiently clear documented directions to Microsoft relating to the processing; failed to make sure its processing was restricted by instruction; and did not assess the compliance of Microsoft’s additional processing with the aim initially said for the gathering, amongst different violations of the foundations the EDPS recognized.

Commenting in an announcement, Wiewiórowski wrote:

It’s the accountability of the EU establishments, our bodies, workplaces and companies (EUIs) to make sure that any processing of non-public information inside and outside the EU/EEA, together with within the context of cloud-based companies, is accompanied by sturdy information safety safeguards and measures. That is crucial to make sure that people’ data is protected, as required by Regulation (EU) 2018/1725, every time their information is processed by, or on behalf of, an EUI.

Over the previous few years, Microsoft has responded to amped up EU regulatory danger connected to information transfers by increasing a information localization effort targeted on regional cloud clients — in an infrastructure it’s branded the “EU Information Boundary for the Microsoft Cloud”. Nonetheless the technical infrastructure remains to be within the means of being rolled out. It additionally stays porous by design, with some information set to remaining accessible outdoors the EU even when the rollout is slated to be accomplished on the finish of this 12 months, per Microsoft.