News from Europe: EDPS audit Microsoft

23. January 2025

Current issues and key tasks of the European Data Protection Supervisor (EDPS)

The article describes the role of the EDPS on the basis of the EU GDPR and focuses on the Microsoft 365 investigation into use in EU institutions, in which the EDPS uncovered data protection violations. The text also addresses the growing challenges posed by new technologies, in particular artificial intelligence (AI), and highlights the resulting tasks of the EDPS. The future role of the EDPS as a supervisory authority for EU AI systems is also highlighted.

I. The EDPS and the EU GDPR

The European Data Protection Supervisor (EDPS) plays a central role in ensuring data protection in the European Union (EU). Since its creation in 2004, the EDPS has overseen compliance with data protection rules by EU institutions, offices and agencies. With the adoption of Regulation (EU) 2018/1725, the specific data protection regulation for EU institutions (EU GDPR), the range of tasks of the EDPS has expanded.

The EDPS is an independent supervisory authority responsible for monitoring compliance with data protection rules by currently 75 EU institutions and bodies, including major institutions such as the European Commission and Europol. The tasks of the EDPS correspond to those of national data protection authorities and include, for example, advice, technology foresight, supervision and cooperation with national authorities.

According to Art. 2 (3), the General Data Protection Regulation (GDPR) does not apply to the processing of personal data by EU institutions, bodies, offices and agencies: instead, the EU GDPR applies. While the EU GDPR follows the GDPR in many respects, it contains additional provisions that are specifically tailored to the needs of the EU institutions. These include more detailed regulations on the position and tasks of the data protection officer as well as more detailed provisions on data transfer to third countries. The EU GDPR also adopts provisions to protect the confidentiality of electronic communications based on the ePrivacy Directive. Another striking feature are the rules laid down in Chapter IX of the EU GDPR for the processing of operational personal data by bodies by agencies and offices of the Union in the field of judicial cooperation in criminal matters and police cooperation, which largely replicate the provisions of the Police Directive.

The EDPS is also empowered to impose fines for EU GDPR infringements by Union institutions and bodies. However, in contrast to the GDPR, where fines can supplement or replace other supervisory remedies, Article 66 of the GDPR authorizes the imposition of fines only after non-compliance with individual remedies. In addition, lower maximum fines are set compared to the GDPR, which as a rule may not exceed EUR 25,000 per infringement and EUR 250,000 per year. Fines of up to EUR 50,000 per incident and EUR 500,000 per year can only be imposed for breaches of basic processing principles, data subjects’ rights or rules on transfers to third countries. The revenue from fines imposed does not directly benefit the EDPS, but flows into the general budget of the Union.

It should be emphasized that, according to the case law of the European Court of Justice (ECJ), the provisions of the GDPR and the EU GDPR are to be interpreted uniformly. Recital 5 of the GDPR also expressly states: “Insofar as the provisions of this Regulation are based on the same principles as those of Regulation (EU) 2016/679, those provisions of the two Regulations should be interpreted uniformly, taking into account the case law of the Court of Justice of the European Union, in particular since the framework of this Regulation should be understood as equivalent to the framework of Regulation (EU) 2016/679.” In view of this requirement for a uniform interpretation, judgments of the EU courts on the application of the EU GDPR can therefore regularly provide valuable guidance for the interpretation of the GDPR and the Police Directive.

II The European Commission’s data protection review in connection with Microsoft 365

In May 2021, the EDPS launched an audit of the European Commission, assessing its use of Microsoft 365 in light of the ECJ’s “Schrems II” judgment. The EDPS investigation also took into account the findings of other supervisory authorities and uncovered a number of data protection violations by the Commission that called into question the data protection compliance of the use of the Microsoft 365 office suite.

1st EDPS audit result

One of the EDPS’s key criticisms was that the Commission had failed to clearly define what personal data was processed in the context of Microsoft 365 and for what specific purposes this data was used. Instead, general phrases such as “ongoing improvement of the service” or “troubleshooting” were used, which did not provide sufficient clarity about the processing activities actually carried out.

Another infringement concerned the Commission’s lack of transparency regarding the transfer of data to third countries. The EDPS found that the Commission was unable to provide an overview of the types of data processed and transferred to third countries in the context of the use of Microsoft 365. Although the Commission acknowledged that data transfers to 74 countries were possible, it argued that these were rare and limited. It referred to additional protective measures such as the EU data boundary, which stipulates that certain data of EU users should generally be stored in the EU.

However, the EDPS criticized that these protective measures were incomplete and that numerous data transfers, for example in the context of bug fixes or support services by Microsoft employees outside the EU, were not covered by the “EU Data Boundary”. The EDPS also pointed out that the Commission had not sufficiently documented the actual data flows.

The technical and organizational measures implemented by the European Commission to protect against unauthorized disclosure of personal data were also assessed as insufficient by the EDPS. Although the Commission had introduced encryption and pseudonymization measures, the EDPS found that these measures did not provide sufficient security in practice.

2. decision of the EDPS

Based on the breaches identified, the EDPS adopted a series of corrective measures in a decision dated March 8, 2024, which the European Commission must implement by December 2024. The most important measures include a warning and:

  1. Suspension of data transfers to unsafe third countries
    The EDPS ordered the suspension of data transfers resulting from the use of Microsoft 365 to Microsoft and its affiliates and sub-processors in third countries not covered by an adequacy decision.
  2. Clarification of data and processing purposes
    The Commission has been instructed to bring the processing operations into line with the EU GDPR and, in particular, to specify the personal data collected and the purposes of the processing in connection with the use of Microsoft 365. This includes creating an overview of all data processing operations and determining which data is processed for which purposes.
  3. Take more effective measures to protect against unauthorized disclosures
    The Commission must review its security measures, in particular with regard to encryption and access controls, and ensure that access to personal data by third parties, including authorities in third countries, is prevented or at least controlled.
  4. Review of contractual terms with Microsoft
    The Commission has been asked to adapt its contractual agreements with Microsoft to ensure that they meet the requirements of the EU GDPR.

3. reactions from the Commission and Microsoft

Both the European Commission and Microsoft have filed complaints against the EDPS’s decision. They dispute not only the findings of the EDPS, but also its understanding of data protection obligations and the burden of proof in the context of the investigation.

The future judgments of the General Court in these cases will be able to clarify important issues that are relevant not only for this specific case, but also for future audits and the supervisory activities of the EDPS in general.

III. Focus of the EDPS’s activities in the area of data protection

In addition to his supervisory role, the EDPS advises the European Commission, the European Parliament and the Council as co-legislator on legislative proposals in accordance with Article 42 of the EU GDPR. The numerous responses and opinions of the EDPS concerned data protection aspects, in particular on new legislative proposals in the areas of justice and home affairs and artificial intelligence (AI). In addition, the EDPS regularly publishes reports on technological developments that affect data protection, such as the TechSonar report and TechDispatch.

The growing use of cloud services and the increasing transfer of data to international contexts pose new challenges for the EDPS. The increasing massive processing of operational data by law enforcement authorities such as Europol and Eurojust is also an area that continues to be of particular concern, which led the EDPS, among other things, to apply to the General Court of the EU for the annulment of two provisions of the Europol Regulation as amended in 2022.

IV. Artificial intelligence: the EDPS as a market surveillance authority

The protection of personal data when using AI technologies is of central importance. At the beginning of 2024, the EDPS published guidelines on data principles in the use of generative AI.

With the introduction of the AI Regulation, the EDPS has taken on an additional role as a supervisory authority for AI systems in the EU institutions. In this regard, the EDPS has developed a strategy to ensure that EU institutions comply with data protection requirements when implementing AI. A central point of this strategy is the appointment of an “AI contact person” in the EU institutions. In addition, the EDPS considers it essential that data protection officers must be involved as early as possible in any case where public authorities intend to develop or use AI systems that process personal data.

Conclusion

The EDPS plays a central role in enforcing EU data protection rules vis-à-vis the EU institutions. The European Commission’s review of the use of Microsoft 365 demonstrates the importance of protecting personal data in a digitalised and globally connected world. The EDPS faces major challenges in the face of complex new technologies such as cloud services and AI, which require constant adaptation and further development of its supervision. In particular, its new role as market surveillance authority for AI systems highlights the importance of data protection compliance in the public sector and shows that data protection in the context of new technologies requires constant attention.

About the Author

Thomas Zerdick, LL.M.


is an EU official and Head of Unit “Supervision and Enforcement” at the European Data Protection Supervisor (EDPS). Previously, he was EDPS Head of Unit “Technology and Privacy”, where he focused in particular on the data protection assessment of new technologies such as Artificial Intelligence (AI).

The latest data protection trends

Stay up to date and don’t miss any more news! Sign up for our newsletter and receive regular invitations to our events and all the latest position papers and handouts.

Subscribe to the newsletter

To subscribe to the newsletter described above, please enter your e-mail address here. You can unsubscribe at any time using the unsubscribe link in our emails.