EU data experts and the Commission at loggerheads over the use of Microsoft 365

The dispute over the use of Microsoft 365 by the EU Commission and its subordinate authorities is coming to a head. In March, EU Data Protection Commissioner Wojciech Wiewiórowski found that the Brussels-based government institution had used the cloud-based Office package unlawfully in light of the "Schrems II ruling" of the European Court of Justice. It ordered the Commission to suspend all data flows resulting from the use of Microsoft 365 to Microsoft and its affiliates and sub-processors in countries outside the EU or the European Economic Area (EEA) by December 9, 2024 at the latest. However, a Commission spokesperson told heise online that they see no reason to abandon MS 365.

The fronts are deadlocked. Wiewiórowski followed up after the deadline he had set and emphasized that his decision from March "remains fully applicable". The Commission wants nothing to do with this. It is of the opinion that its use of MS 365 complies with the legal requirements and that it "sufficiently demonstrated this" during the investigation by the EU Data Protection Supervisor, the spokesperson emphasized. "The Commission's commitment to protecting data protection rules remains steadfast and it will continue to uphold the highest standards of compliance with these rules." On December 6, the executive body submitted the requested compliance report and related documents to Wiewiórowski.

Commission sees no real alternatives to Microsoft

The EU Data Protection Supervisor has confirmed receipt of the documents, but believes that the Commission is still obliged to refrain from using MS 365, at least for the time being. His office is currently reviewing the information provided in order to assess whether the Commission has complied with the March decision. In view of the scope of the submission and the complexity of the associated processing operations, this analysis must be carried out "thoroughly within a reasonable timeframe". At the same time, Wiewiórowski announced that he would not comment further on the case, as the Commission had challenged his decision and the relevant proceedings before the General Court of the EU were ongoing (Ref.: T-262/24 and T-265/24).

As early as 2020, Wiewiórowski had also called on the Commission to look for alternatives to MS 365 that "allow higher data protection standards". However, the government institution has so far done little in this direction. "There are no known credible offers from European providers", Euractiv quotes from an internal Commission document. However, French authorities have expressed particular concern about the potential risks "associated with the use of US-based solutions". A report by the Directorate-General for Digital Services also addresses the "excessive power of a few non-European companies, risks associated with a single provider (price increases, migration difficulties) and the potential loss of internal competences".

Wiewiórowski's re-election is open

According to Euractiv, the Directorate-General also praises initiatives by member states to develop open and sovereign alternatives to Microsoft in the pursuit of digital sovereignty. Internally, however, it only sees this as a "possible addition" for small IT projects with a "very limited scope". In Germany, auditors pointed out "pain points in the federal administration" in a 2019 study for the Ministry of the Interior, which had been criticizing the dependence on Microsoft products for years. The Center for Digital Sovereignty (ZenDiS) is now promoting the Windows alternative OpenDesk. Schleswig-Holstein wants to break away from Microsoft completely.

How the dispute continues is also likely to depend on whether Wiewiórowski is re-elected after the official end of his term of office in December. Bruno Gencarelli from the Directorate-General for Justice and Consumers, who could be less critical of the Commission, François Pellegrini, former Vice-President of the French data protection authority CNIL, and Anna Pouliou, Data Protection Officer of the EU Organization for Nuclear Research (CERN), are contesting his post. The EU Parliament's Home Affairs Committee will hold a hearing of the candidates on Thursday.

(mki)