The European Data Protection Supervisor (EDPS) released a press release about the use of Microsoft 365 within the European Commission (EC). In that press release they started off with:
"Following its investigation, the EDPS has found that the European Commission (Commission) has infringed several key data protection rules when using Microsoft 365. In its decision, the EDPS imposes corrective measures on the Commission."
They have been violating several data protection laws and the EDPS has ordered the European Commission to suspend all data flows to Microsoft and to their sub-processors which are not located within the EU. The European Commission needs to suspend its use of Microsoft before the 9th of December 2024.
The EC has also been ordered to check the compliance of their Microsoft 365 use with existing data protection law. The EDPS has concluded that there has not been enough attention to making sure data is as secure outside of the EU, as it is within the European Union.
Another thing that has not been taken care of correctly are the contracts that the EC has with Microsoft. It is not clear enough which personal data is collected and for what purposes. Something we know Microsoft likes to keep vague on purpose.
The EDPS also stated that:
"Many of the infringements found concern all processing operations carried out by the Commission, or on its behalf, when using Microsoft 365, and impact a large number of individuals."
This means that almost the whole of Microsoft 365 is unsafe according to data protection law and many individuals are impacted by that improper use.
Wojciech Wiewiórowski, appointed by the European Parliament and the Coucil, said:
"It is the responsibility of the EU institutions, bodies, offices and agencies (EUIs) to ensure that any processing of personal data outside and inside the EU/EEA, including in the context of cloud-based services, is accompanied by robust data protection safeguards and measures. This is imperative to ensure that individuals’ information is protected, as required by Regulation (EU) 2018/1725, whenever their data is processed by, or on behalf of, an EUI."
This is another case where we see the importance of taking data security and privacy very serious, especially in light with the new NIS2 directive that comes into effect end of 2024.
Want to avoid mistakes like this yourself and stop worrying about privacy?
We have been dedicated to privacy, security, and reliability since we were founded. With a full range of products, we can satisfy every need your business might have in terms of cloud services, email, video calling, password management, servers, webhosting, and more.
With our data center located in the EU and no use of sub-processors, you are guaranteed that absolutely no-one can access, hack, or sell your data.