European Commission Ordered to Halt Data Transfers via Microsoft 365

The European Data Protection Supervisor found the Commission's use of Microsoft 365 in breach of EU data protection laws, setting a compliance deadline of December 9, 2024.

Following a three-year investigation, the European Data Protection Supervisor (EDPS) concluded that the European Commission's use of Microsoft 365 violated EU privacy rules.
The Commission failed to ensure adequate safeguards for personal data transferred outside the EU/EEA, and did not specify data collection purposes clearly in its contract with Microsoft.
The EDPS has imposed corrective measures, requiring the Commission to cease all data flows to Microsoft and associated firms outside the EU or without a data agreement by December 9, 2024.
Microsoft responded, stating its commitment to helping European customers use Microsoft 365 in compliance with GDPR and addressing the EDPS's concerns.
The investigation was partly triggered by concerns over data transfers to the United States, following revelations of mass US surveillance by Edward Snowden in 2013.