Microsoft 365: EU Commission takes EU data protection commissioner to court
EU Data Protection Commissioner claims EU Commission used Microsoft 365 illegally. Both the Commission and Microsoft are challenging this allegation legally.
(Image: EU / Microsoft)
After the EU Data Protection Supervisor (EDPS) accused the EU Commission of using Microsoft products unlawfully, he is now facing opposition. The Commission wants the Court of Justice of the EU to declare the EDPS's investigation report on the use of Microsoft 365 null and void. Apparently, the EU Commission wants to continue using this software as before.
The EU Commission's action (Case T-262/24) dated May 17, 2024, was published in the Official Journal of the EU at the beginning of this month, as pointed out by Patrick Breyer, MEP for the Pirate Party. Microsoft itself is also taking action against the EDPS before the EU General Court (Case T-265/24). The plaintiffs accuse the data protection officer of "errors of law and fact in the determination of infringements" and "incorrect interpretation and application" of EU provisions. The Microsoft complaint contains four pleas in law, which the EU Commission 13.
The EU Data Protection Commissioner Wojciech Wiewiórowski had spent three years investigating the legal aspects of the use of Microsoft 365 in the EU Commission. In March of this year, he said that the Commission had violated several provisions of the special data protection regulation for the EU institutions. In particular, the Commission had failed to ensure adequate protection of personal information transferred via MS 365 to third countries such as the US.
"Disproportionate remedies"
Among other things, the Commission is defending itself against the accusation that it did not specify in the interinstitutional license agreement what types of personal data should be processed and for what purposes. It also considers the EDPS's finding that the Commission had not provided sufficiently clearly documented instructions to be incorrect.
In March, the Data Protection Commissioner instructed the EU Commission to suspend all data traffic resulting from the use of Microsoft 365 to Microsoft and its affiliates and sub-processors in countries outside the EU or EEA by December 9, 2024 at the latest. Like Microsoft, the EU Commission believes that the Data Protection Commissioner has ordered "disproportionate remedies". These were based on unfounded assumptions of violations of EU Regulation 2018/1725, according to Microsoft.
Wiewiórowski had initiated the investigations after the European Court of Justice (ECJ) declared the Privacy Shield between the EU and the USA to be inadmissible in July 2020.He said at the time that many contracts for cloud services had been concluded before this landmark decision and would have to be reviewed.
(anw)
