EDPS - 2021-0518

From GDPRhub
Revision as of 17:41, 15 July 2024 by Lszabo (talk | contribs) (Created page with "{{DPAdecisionBOX |Jurisdiction=European Union |DPA-BG-Color= |DPAlogo=LogoEDPS.png |DPA_Abbrevation=EDPS |DPA_With_Country=EDPS |Case_Number_Name=2021-0518 |ECLI= |Original_Source_Name_1=EDPS decision |Original_Source_Link_1=https://www.edps.europa.eu/system/files/2024-03/24-03-08-edps-investigation-ec-microsoft365_en.pdf |Original_Source_Language_1=English |Original_Source_Language__Code_1=EN |Original_Source_Name_2= |Original_Source_Link_2= |Original_Source_Language...")
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
EDPS - 2021-0518
LogoEDPS.png
Authority: EDPS
Jurisdiction: European Union
Relevant Law: Article 5(1)(b) GDPR
Article 6(4) GDPR
Article 28 GDPR
Article 46 GDPR
Article 9 of Regulation (EU) 2018/1725 as specific rule for EU institutions
Articles 4(1)b, 6, 29 and 48 of Regulation (EU) 2018/1725 corresponding to the above articles of the GDPR
Articles 4(2), 26(1) and 46 of Regulation (EU) 2018/1725
Type: Investigation
Outcome: Violation Found
Started: 12.05.2021
Decided: 08.03.2024
Published: 08.03.2024
Fine: n/a
Parties: European Commission
National Case Number/Name: 2021-0518
European Case Law Identifier: n/a
Appeal: Unknown
Original Language(s): English
Original Source: EDPS decision (in EN)
Initial Contributor: lszabo

The EDPS reprimanded the Commission and ordered to bring processing related to use of Microsoft 365 in line with EU data protection rules and suspended the data flows to countries for which there is no adequacy decision with effect 9th December 2024

English Summary

Facts

Following an investigation in 2019-2020, the EDPS isdues recommendations and the Commission modified the ILA. The EDPS investigated whether these modifications were sufficient to bring processing in compliance with data protection requirements and found infringements. Data accessed by Microsoft are: - identity and contact data of users (when signing on to the service and when checking the licenses) - data generated by the users while using the software - data generated by Microsoft based on the usage of the software The EDPS found that the processing presents significant risks as - it monitors the behaviour of users, - combines datasets and - even uses artificial intelligence Reference date is the 12th May 2021, the date when the investigation was launched. Some measures were taken meanwhile by the Commission, which were taken into account in the recommendations issued.

Holding

The infringements found were summarised in three groups: - purpose limitation - transfer to third countries - further unauthorised disclosure or personal data Purpose limitation: It was not sufficiently defined in the International License Agreement (ILA) that which types of personal data are to be processed of which purposes, there was only a list of purposes: Microsoft uses these data for - troubleshooting - billing - remunerating Microsoft staff, internal reporting and business modelling, financial reporting - following the use of the system for own reasons (analytics) - to improve the service – this purpose is considered to be too vague and general by the Art 29 WP - security risks and the protection of intellectual property The Commission and Microsoft could not demonstrate that all these data were necessary and that a less intrusive collection of data were not sufficient to achieve the purposes cited. Some of these purposes were actually not in the interest of the Commission but for own purposes of Microsoft (like remuneration of their personnel). If the processor processes personal data not on behalf of the controller, this is possible if required by Union or Member State law, but in this case the processor acts as controller and these purposes and the data used for this purposes should have been precisely defined. Also, if data were used for purposes other than for which they were collected, the compatibility of these new purposes with the original ones should have been assessed. As a processor, Microsoft should have processed the personal data on documented instructions by the Commission. This was not ensured as the Commission did not issue sufficiently clear documented instructions to Microsoft. For example, the controller gave instructions for analytics and improvement of the service but these instructions were not sufficiently detailed and precise and did not exclusively concern uses of data for the purposes of the controller. Some instructions were given orally but this was not enabled by the ILA and the oral instructions were not documented. The Commission did not assess whether it is necessary and proportionate to transmit data to Microsoft Ireland and its sub-processors. Further details of this infringement are given under the part on further unauthorised disclosure or personal data. Transfer to third countries The Commission transferred personal data to Microsoft. Concerning Microsoft US, after the reference date, the Commission adopted the Transatlantic Data Privacy Framework, which is an adequacy decision in respect of recipients in the US who register under this framework, which Microsoft did. Therefore only the findings concerning transfer to third countries are relevant. To be noted that the EDPS found that even when the software and data storage is property of MS, it is direct transfer to these subcontractors and cannot therefore be covered by transfer under the TDPF to MS US and onward transfer from MS US to the subcontractors under SCCs. The EDPS found that in was not clearly specified in the ILA what types of personal data can be transferred to which recipients in which third country and that the Commission did not appraise the transfers and therefore could not determine whether any supplementary measures are necessary. In addition, the Commission should have performed a TIA and (as there are no SCCs applicable by EUIs as exporters) ahould have submitted the DPAs with these processors or subprocessors in third countries to the EDPS for approval. As a consequence, the Commission did not implement effective supplementary measures for these transfers. Another point was that the “EU storage guarantee” offered by Microsoft does not cover all types of data, some data may be accessible to recipients in third countries. The “EU Data Boundary” also has numerous exceptions and exclusions which cover customer data, service generated data, diagnostic data and professional services data. These findings will also be relevant also for transfers to the US if, as initiated before the Court of Justice by some privacy advocates, the Transatlantic Data Privacy Framework is invalidated. Further unauthorised disclosure or personal data A specific reference was made to Article 9, which concerns transmission of personal data by EU institutions to recipients established in the EU. According to the EDPS, this article is also applicable to transmission of personal data to processors of EUIs. Therefore all transmission of personal data should be in the public interest and if the data subject’s legitimate interests may be prejudiced, the controller has to weigh the competing interests and establish that it is proportionate to transmit the personal data. The purpose of management and functioning of the Commission, use of products the staff is familiar with etc. was not found to be the purpose of processing of the personal data by MS. As long as the purposes are not specified, specific and explicit, it is not possible to do this weighing. In conjunction with that, the EDPS found that the Commission did not ensure that transfers take place “solely to allow tasks within the competence of the controller to be carried out”. Further findings of the EDPS concern mainly the transfer of personal data to MS and its affiliates and subcontractors. The findings: Organisational and contractual measures to restrict/prevent access of third country authorities are not sufficient, technical measures are necessary. The EDPS also found that the organisational measures applied are only limiting transfers but does not ensure that transfers are protected. Further, the encryption is only found to be an adequate measure, if the controller is in control of the encryption key. In this case, customers only control the keys that they can revoke them but Microsoft has access to the keys, in fact, MS is in possession of the encryption key, and thus, even when law does not oblige it to decrypt the data on an authority request, it may do it voluntarily. Also, the ILA does not detail encryption of data other than “customer data”, i.e. diagnostic data, service generated data or professional services data. The contract also enabled the processor not to notify the Commission about a request of disclosure also when EU or Member State law did not prohibit this notification and enabled recipients in third countries not to notify requests for disclosure also when the law prohibiting it did not constitute a necessary and proportionate measure in a democratic society respecting the essence of the fundamental rights and freedoms recognised by the Charter.

Comment

Although reference to the limitation of transmission of personal data to recipients subject to the GDPR, based on Article 9 EUDPR is specific to EU institutions, there are points of general interest: - precise definition of data transmitted to or accessed by processors and the purposes for which they are used - processors should only use data for the purposes of the controller even when improving services or ensuring security, if this is not the case, they are controllers - access by subcontractors end affiliates of a processor is direct transfer to the subcontractor or affiliate (possibly in third countries) even when they are not legally directly in contractual relationship with the controller and they access data kept by the processor and - adequate safeguards must effectively protect against access of third country recipients, only legal stipulations are not sufficient. The parts of the decision concerning transfer to Microsoft US are not relevant for the present date but may be relevant again when the Transatlantic Data Privacy Framework ceases to apply or is invalidated.

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the English original. Please refer to the English original for more details.

EDPS INVESTIGATION INTO USE OF
MICROSOFT 365
BY THE EUROPEAN COMMISSION
(Case 2021-0518)
Decision
(8 March 2024)
EXCERPT OF FINDINGS OF INFRINGEMENTS
AND OF USE OF CORRECTIVE POWERS
Purpose limitation
I. The EDPS finds that the Commission, on 12 May 2021 (the ‘reference date’) and continuously thereafter until the date of issuing this decision:
a) has infringed Article 4(1)(b) of Regulation (EU) 2018/1725 (the ‘Regulation’) by failing to:
- sufficiently determine the types of personal data collected under the 2021 ILA in relation to each of the purposes of the processing so as to allow those purposes to be specified and explicit;
- ensure that the purposes for which Microsoft is permitted to collect personal data under the 2021 ILA are specified and explicit;
b) has infringed Article 29(3)(a) of the Regulation by insufficiently determining in the 2021 ILA which types of personal data are to be processed for which purposes and by failing to provide sufficiently clear documented instructions for the processing;
c) has infringed Articles 4(2) and 26(1) in conjunction with Article 30 of the Regulation by failing to ensure that Microsoft processes personal data to provide its services only on documented instructions from the Commission;
d) has infringed Article 6 of the Regulation by failing to assess whether the purposes for further processing are compatible with the purposes for which the personal data have initially been collected;
e) has infringed Article 9 of the Regulation by failing to assess whether it is necessary and proportionate to transmit the personal data to Microsoft Ireland and its sub-processors (including affiliates) located in the EEA for a specific purpose in the public interest.
International transfers
II. The EDPS finds that the Commission, on the reference date and, except with regard to point b), second indent, and to point c),1 continuously thereafter until the date of issuing this decision:
a) has infringed Article 29(3)(a) of the Regulation by failing to clearly provide in the 2021 ILA what types of personal data can be transferred to which recipients in which third country and for which purposes, and to give Microsoft documented instructions in that regard;
b) has infringed Articles 4(2), 46 and 48 of the Regulation by failing to provide appropriate safeguards ensuring that personal data transferred enjoy an essentially equivalent level of protection to that in the EEA since it:
- has not appraised, either prior to the initiation of the transfers or subsequently, what personal data will be transferred to which recipients in which third countries and for which purposes, thereby not obtaining the minimum information necessary to determine whether any supplementary measures are required to ensure the essentially equivalent level of protection and whether any effective supplementary measures exist and could be implemented;
- had not implemented effective supplementary measures for transfers to the United States taking place prior to the entry into force of the US adequacy decision, in light of the Schrems II judgment, nor has it demonstrated that such measures existed;
c) has infringed Articles 4(2), 46 and 48(1) and (3)(a) of the Regulation by:
- concluding the SCCs for transfers from the Commission to Microsoft Corporation without having clearly mapped the proposed transfers, concluded a transfer impact assessment and included appropriate safeguards in those SCCs;
- failing to obtain authorisation of those SCCs for transfers from the Commission to Microsoft Corporation from the EDPS pursuant to Article 48(3)(a) of the Regulation;
d) has infringed Article 47(1) of the Regulation read in the light of Articles 4, 5, 6, 9 and 46 by failing to ensure that transfers take place “solely to allow tasks within the competence of the controller to be carried out.”
Unauthorised disclosures
III. The EDPS finds that the Commission, on the reference date and continuously thereafter until the date of issuing this decision:
a) has infringed Article 29(3)(a) of the Regulation, in particular as interpreted in the light of the Schrems II judgment, by not ensuring that, for personal data processed in the EEA, only EU or Member State law prohibits notification to the Commission of a request for disclosure, and that, for personal data processed outside the EEA, any prohibition of such notification constitutes a necessary and proportionate measure in a democratic society respecting the essence of the fundamental rights and freedoms recognised by the Charter;
b) has infringed Articles 4(1)(f), 33(1) and (2) and 36 of the Regulation, by:
- not having assessed the legislation of all third countries to which personal data are envisaged to be transferred under the 2021 ILA and thereby failing to ensure that Microsoft and its sub-processors do not make disclosures of personal data within and outside of the EEA that are not authorised under EU law;
- failing to implement effective technical and organisational measures that would ensure processing in accordance with the principle of integrity and confidentiality within the EEA and, as part of an essential equivalence of the level of protection, also outside of the EEA.
Use of corrective powers
IV. The EDPS has decided to take the following corrective measures in respect of the infringements detailed in sections 3.1.3, 3.2.3 and 3.3.3 of the decision:
1.1. to order the Commission, under Article 58(2)(j) of the Regulation and with effect from 9 December 2024, to suspend all data flows resulting from its use of Microsoft 365 to Microsoft and to its affiliates and sub-processors, located in third countries not covered by an adequacy decision as referred to in Article 47(1) of the Regulation, and to demonstrate the effective implementation of such suspension (infringements set out in paragraphs II.a and b, first indent, and III);
1.2. to order the Commission, under Article 58(2)(e) of the Regulation, to bring the processing operations resulting from its use of Microsoft 365 into compliance, and to demonstrate such compliance, by 9 December 2024, by:
1.2.1. carrying out a transfer-mapping exercise identifying what personal data are transferred to which recipients in which third countries, for which purposes and subject to which safeguards, including any onward transfers (infringements set out in paragraph II.a and b, first indent);
1.2.2. ensuring that all transfers to third countries take place solely to allow tasks within the competence of the controller to be carried out (infringement set out in paragraph II.d);
1.2.3. ensuring, by way of contractual provisions concluded pursuant to Article 29(3) of the Regulation and of other organisational and technical measures, that:
a) all personal data are collected for explicit and specified purposes (infringements set out in paragraph I.a and b);
b) the types of personal data are sufficiently determined in relation to the purposes for which they are processed (infringements set out in paragraph I.a and b);
c) any processing by Microsoft or its affiliates or sub-processors is only carried out on the Commission’s documented instructions, unless, for processing within the EEA, required by EU or Member State law, or, for processing outside of the EEA, third-country law that ensures a level of protection essentially equivalent to that in the EEA, to which Microsoft or its affiliates or sub-processors are subject (infringements set out in paragraphs I.b and c, II.a and III);
d) no personal data are further processed in a manner that is not compatible with the purposes for which the data are collected, in accordance with the criteria laid down in Article 6 of the Regulation (infringement set out in paragraph I.d);
e) any transmissions to Microsoft Ireland or its affiliates and sub-processors located in the EEA comply with Article 9 of the Regulation (infringement set out in paragraph I.e);
f) for personal data processed in the EEA, only EU or Member State law prohibits notification to the Commission of a request for disclosure, and, for personal data processed outside the EEA, any prohibition of such notification constitutes a necessary and proportionate measure in a democratic society respecting the essence of the fundamental rights and freedoms recognised by the Charter, as required by Article 29(3)(a) of the Regulation, in particular as interpreted in light of the Schrems II judgment (infringement set out in paragraph III.a);
g) no disclosures of personal data by Microsoft or its sub-processors take place, unless, for personal data processed within the EEA, the disclosure is required by EU or Member State law, or, for personal data processed outside of the EEA, the disclosure is required by third-country law that ensures a level of protection essentially equivalent to that in the EEA, to which Microsoft or its affiliates or sub-processors are subject (infringements set out in paragraph III.b).
1.3. to issue a reprimand to the Commission under Article 58(2)(b) of the Regulation (all infringements).