Privacy agreements with EU: The European Commission's use of Microsoft software has been found to contravene EU privacy regulations, as per the EU privacy watchdog's announcement on Monday. The European Data Protection Supervisor (EDPS) has instructed the Commission to rectify these breaches and cease transferring data to Microsoft and its subsidiaries in non-EU countries lacking privacy agreements with the bloc. The deadline for compliance has been set for December 9.

This decision by the EDPS follows a three-year investigation prompted by concerns over the transfer of personal data to the United States, particularly after revelations in 2013 by former US intelligence contractor Edward Snowden regarding widespread US surveillance practices.

The watchdog criticised the Commission for failing to implement sufficient safeguards to ensure that personal data transferred outside the EU/EEA (European Economic Area) receive a level of protection equivalent to that guaranteed within the EU/EEA. The EDPS also highlighted deficiencies in the Commission's contract with Microsoft, particularly regarding the specification of the types of personal data collected and the purposes for which they are used within Microsoft 365, the suite including Word, Excel, PowerPoint, and Outlook.

Consequently, the data protection authority has mandated the suspension of all data flows resulting from the Commission's use of Microsoft 365 to entities located outside Europe without adequate decisions. While the EU has data adequacy agreements with 16 countries, including the United States, the EDPS's directive underscores the necessity for compliance with EU privacy standards.

The Commission has yet to respond to requests for comment, while Microsoft has stated its intention to review the EDPS decision and collaborate with the EU executive to address the concerns. Microsoft underlined that the concerns raised by the EDPS primarily relate to transparency requirements under the EU General Data Protection Regulation (GDPR), which specifically applies to EU institutions.

Additionally, the EU executive has been instructed to ensure that its usage of Microsoft 365 aligns with privacy regulations, signalling a broader call for adherence to data protection standards within EU institutions.

(With Reuters inputs)