News Analysis
The ongoing discussion about tech regulation and the differences between the U.S. and Europe had an interesting twist this week. Simply put, the European Commission was reprimanded by its own watchdog for using Microsoft 365.
Chastened European Commission
While there will undoubtedly be a certain amount of schadenfreude in the U.S. tech sector following the announcement, the fact that the platform at the center of the controversy is Microsoft 365 will undoubtedly cause concern among its customer base.
The decision, which was announced in a statement from the European Data Protection Supervisor (EDPS), said the European Commission infringed "several key data protection rules when using Microsoft 365."
Outlining the reason for its decision, the EDPS explained, "The Commission has failed to provide appropriate safeguards to ensure that personal data transferred outside the EU/EEA are afforded an essentially equivalent level of protection as guaranteed in the EU/EEA.”
It added: "In its contract with Microsoft, the Commission did not sufficiently specify what types of personal data are to be collected and for which explicit and specified purposes when using Microsoft 365. The Commission’s infringements as data controller also relate to data processing, including transfers of personal data, carried out on its behalf.”
Related Article: How to Build a Cloud-First Strategy for the Digital Workplace
EU Data Governance in Question
In response, the EDPS has ordered the Commission to take measures to comply with privacy rules and to halt data transfer to U.S. companies and subsidiaries located in third countries that do not have privacy deals with the EU, setting a deadline of Dec. 9 for both orders.
A Commission spokesperson — the Commission being EU’s executive branch — acknowledged the problem and said it would act. “The Commission has always been fully committed to ensuring that its use of Microsoft M365 is compliant with the applicable data protection rules and will continue to do so. The same applies to all other software acquired by the Commission,” the spokesperson said in a statement.
The irony won’t be lost on anyone. In Feb. 2020, the European Commission introduced the European data governance strategy, which foresees a situation where the EU will become a player in the monetization of European citizen’s personal data who have given full consent.
The first initiative, called TRUSTS, involved the creation of a European-wide pool of personal and non-personal data that businesses and technology companies can access through a system of trusts. At the heart of it was the understanding that while businesses are able to use the data, they are not allowed to move it.
Microsoft for its part has been addressing this issue with the EU Data Boundary for the Microsoft Cloud which envisages a situation where its customers would be able to store all personal data within the EU rather than sending it to the U.S. for storage, which lacks the equivalent national data governance privacy laws.
Related Article: Data Migration Problems in the Digital Workplace
Reevaluating Data Strategies
The EDPS ruling represents a significant moment for cloud-based productivity software in the European Union, Basecamp Legal founder Adrienne Fischer told Reworked.
One likely result will be a swift reevaluation of data protection measures by organizations operating within the EU. Entities will need to ensure their use of cloud services complies with specific requirements around data collection, processing and cross-border data transfers, she said. This may involve conducting rigorous data protection impact assessments and renegotiating contracts with service providers to ensure more explicit control and specification of data processing activities.
While the direct impact might be less immediate in the U.S., she added, multinational companies operating across borders will need to carefully consider their data handling practices to ensure compliance with EU regulations, especially in light of the Privacy Shield invalidation and the ongoing debates around adequacy decisions and standard contractual clauses.
“The ability of Microsoft, or any tech giant for that matter, to adapt quickly to these requirements is pivotal,” she said. "Given their resources and the central role that compliance plays in their business model, especially in serving governmental and international clients, I would expect Microsoft to respond proactively."
This sends a clear message to all big tech companies operating in Europe that the EU is serious about enforcing its data protection laws and will not hesitate to scrutinize the practices of the largest tech entities, even itself.
EU Data Protection Laws
There is a wider context too. The decision underscores the necessity for companies to rigorously evaluate their data handling practices within the context of GDPR and other relevant EU data protection laws, said MAH Advising founder Michael Hurckes.
“Businesses must recognize that the EU's stance on data privacy is exceptionally stringent, demanding clear, transparent data processing and storage procedures alongside robust data security measures,” he told Reworked.
While this will force companies to look at their data strategy, they will have to tweak those strategies and ensure that they have practices in place to ensure data minimization, purpose limitation, and implementing end-to-end encryption to safeguard data transfers.
“From past consultations with companies facing similar compliance pressures, I've observed that those who engage transparently with regulators and invest in privacy-by-design principles can indeed pivot quickly,” Hurckes said. “For Microsoft, this might entail offering more granular control over data processing to its clients or enhancing transparency regarding data transfers.
Other big tech companies operating in Europe will likely feel a substantial ripple effect coming out of the ruling. It serves as a clear warning that data protection is non-negotiable in the EU, catalyzing a broader shift towards more privacy-focused business models.
Conference
Oct
20
Gartner IT Symposium/Xpo Orlando 2025
Register
Conference
Oct
27
Gartner HR Symposium/Xpo Orlando 2025
Register
Setting a Precedent
“There's a notable irony in the fact that the Commission, which helps shape, promote, and enforce data protection laws, has itself violated these regulations," said Christa Burger, senior director of cybersecurity governance risk at Alteryx. "I imagine Microsoft is going to demonstrate some adaptability in the near future, however, in the meantime, ongoing use of M365 just became a risk."
She also expects more scrutiny of compliance efforts (being able to demonstrate alignment with the law) as a result, and predicts contract reviews and adjustments are going to become temporarily popular as everyone will scramble to mitigate risk.
Organizations will need to preemptively look over their data transfer practices to ensure they align with requirements, with one solution being an increased presence in EU-based data centers, she said. It's going to be a question of how Big Tech resourcing goes in 2024 and how much they can invest in responding.
Microsoft has a history of adapting to regulatory requirements and has made significant investments in global compliance and data protection. Its response should come quickly. However, a potentially precedent-setting ruling like this could also spur new and innovative applications to fix the problem, she concluded.