By Jason Priebe and Danny Riley

Seyfarth Synopsis: The European Union (EU)’s government organizations are just like any another entity trying to function in a world where global companies and even government entities are reliant on digital platforms for messaging and collaboration. For years, there has been debate about how platforms like Microsoft 365, formerly Office 365, could be deployed in a way that complies with the GDPR processing and transfer restrictions. And it turns out that even the European Commission (EC) itself can apparently get it wrong. In a surprising turn of events earlier this month, the European Data Protection Supervisor (EDPS) concluded its nearly three year investigation into the Commission’s own deployment and use of Microsoft 365, signaling a pivotal moment in the conversation about the GDPR privacy and security requirements for cloud-based messaging and document collaboration platforms.

The Catalyst for Change

The EDPS’s investigation, spurred by the well-known Irish DPC case initiated by Maximillian Schrems (C-311/18), widely referred to as the “Schrems II” case, and as part of the 2022 Coordinated Enforcement Action of the European Data Protection Board (EDPB), unearthed several critical issues with the Commission’s deployment of Microsoft 365. These findings reportedly involve the EC’s failure to ensure that personal data transferred outside the EU/EEA is afforded protection equivalent to that within the EU/EEA and a lack of specificity in contracts between the Commission and Microsoft regarding the types of personal data collected and the purposes for its collection.  Those contractual terms, and accompanying GDPR safeguards and commitments are of course the same terms that every other global company is using with Microsoft, posted on the Microsoft website and generally not open for negotiation or discussion.

The EDPS’s Verdict

The resolution to the findings is as unprecedented as the investigation itself. The EDPS issued the EC a reprimand and imposed corrective measures demanding the suspension of all data flows from the use of Microsoft 365 to Microsoft and its affiliates and sub-processors outside the EU/EEA not covered by an adequacy decision, effective December 9, 2024. Additionally, the Commission must demonstrate its compliance with Regulation (EU) 2018/1725, specifically regarding purpose limitation, data transfers outside the EU/EEA, and unauthorized data disclosures by the same date.

This decision, the first of its kind, raises important questions about the future of data protection enforcement within the EU – and the use and deployment of any cloud-based platform like Microsoft 365 by any company established in the EU. What mechanisms will be or can be employed to ensure compliance? How will this affect the technical and logistical operations of the European Commission and potentially other EU institutions and bodies as they transition data flows to new servers?

A Roadmap for Compliance

Despite the challenges and short term confusion this decision presents, it also offers a silver lining. The decision serves as a vital roadmap for compliance, setting a precedent for the level of transparency and security required in data processing and transfer activities. This move by the EDPS reinforces the EU’s stance on the importance of data protection, signaling to institutions, companies, and individuals alike that safeguarding personal data is paramount and non-negotiable.

The Path Forward

As we reflect on this decision, it is clear that the implications extend far beyond the confines of the European Commission and Microsoft 365. This decision serves as another wake-up call to all entities operating within the EU’s jurisdiction, emphasizing the need for stringent data protection measures and the importance of reevaluating current data handling practices. The fact that the EC itself is on the receiving end is a surprise, but plenty of other companies with operations in the EU know they are doing the exact same things that the EC just got reprimanded for doing.

Looking ahead, the decision by the EDPS is not just about compliance; it’s about setting a global standard for data protection that companies can understand and predictably follow. As we move forward, institutions and companies should take heed of the path to compliance outlined by the decision. Businesses can no longer assume things are safe by relying on the size and popularity of the Microsoft 365 ecosphere, and the contentment that everyone else is doing the same thing. This decision rocked the boat for everyone. If the EC themselves can get this wrong, what chance is there for the rest of us?