O365 infringes data protection rules

Back in 2021 the European Data Protection Supervisor (EDPS) opened two investigations. One into the use of Cloud Services (Amazon and Microsoft), and the other into the use of MS Office 365 by the European Commission.

Basically it’s to ensure that EU institutions are complying in relation to data transfers of personal data to third countries and the US.

Today EDPS ruled that the use of Office365 infringes data protection rules (key quote and linked below):

“The EDPS has therefore decided to order the Commission, effective on 9 December 2024, to suspend all data flows resulting from its use of Microsoft 365 to Microsoft and to its affiliates and sub-processors located in countries outside the EU/EEA not covered by an adequacy decision. The EDPS has also decided to order the Commission to bring the processing operations resulting from its use of Microsoft 365 into compliance with Regulation (EU) 2018/1725. The Commission must demonstrate compliance with both orders by 9 December 2024.”

I wonder when the ruling on Cloud Services is due? I also wonder if this is a driver for the likes of Microsoft to magnanimously invest billions in data centres in the EU? Which is not easily done as there are infrastructure challenges (power, water etc).

To stretch an analogy, data is the current gold rush. The hyperscalers want to control a lot, but the EU is really starting to flex its muscles (Apple found out in particular recently). AI just doesn’t work without good data. But it’s also good not to get tunnel vision when hurtling towards a brave new world - because the regulators might apply a harsh brake.

Be very mindful of what you do with people’s data. Never something to be forgotten.