European Commission violates data protection rules using Microsoft 365
- In March 2024, the European Commission's use of Microsoft 365 was determined to be in violation of EU data protection rules.
- The European Data Protection Supervisor set a deadline for the Commission to respond and adjust its data management practices.
- The EDPS is now reviewing the Commission's compliance report, suggesting a lengthy examination process ahead.
In March 2024, the European Commission was found to be in violation of the European Union's data protection rules due to its use of Microsoft 365 services. This discovery raised significant concerns about the security and handling of sensitive data within the European Commission, considering the strict regulations imposed by the bloc on data privacy. Following this finding, the European Data Protection Supervisor (EDPS), Wojciech WiewiĆ³rowski, issued an order for the Commission to suspend any data flows that contravened these regulations and to amend its contracts with Microsoft to ensure compliance. The deadline for the Commission to address these issues was set for Monday, December 9, 2024. Soon after, on Tuesday, WiewiĆ³rowski confirmed the receipt of the Commission's report and announced that a thorough review would be conducted to assess whether the Commission has adhered to the March order.