EDPS - 2021-0518

From GDPRhub
EDPS - 2021-0518
LogoEDPS.png
Authority: EDPS
Jurisdiction: European Union
Relevant Law: Article 5(1)(b) GDPR
Article 6(4) GDPR
Article 28 GDPR
Article 46 GDPR
Article 9 of Regulation (EU) 2018/1725 as specific rule for EU institutions
Articles 4(1)b, 6, 29 and 48 of Regulation (EU) 2018/1725 corresponding to the above articles of the GDPR
Articles 4(2), 26(1) and 46 of Regulation (EU) 2018/1725
Type: Investigation
Outcome: Violation Found
Started: 12.05.2021
Decided: 08.03.2024
Published: 08.03.2024
Fine: n/a
Parties: European Commission
National Case Number/Name: 2021-0518
European Case Law Identifier: n/a
Appeal: Unknown
Original Language(s): English
Original Source: EDPS decision (in EN)
Initial Contributor: lszabo

The EDPS reprimanded the Commission and ordered to bring processing related to use of Microsoft 365 in line with EU data protection rules and suspended the data flows to countries for which there is no adequacy decision with effect 9th December 2024

English Summary

Facts

Following an investigation in 2019-2020, the EDPS issued recommendations and the Commission modified the ILA. The EDPS investigated whether these modifications were sufficient to bring processing in compliance with data protection requirements and found infringements.

Data accessed by Microsoft include identity and contact data of users (when signing on to the service and when checking the licenses), data generated by the users while using the software and data generated by Microsoft based on the usage of the software.

The EDPS found that the processing presents significant risks as it monitors the behaviour of users, combines datasets and uses artificial intelligence. Reference date is the 12th May 2021, the date when the investigation was launched. Some measures were taken meanwhile by the Commission, which were taken into account in the recommendations issued.

Holding

The EDPS found infringements with regards to purpose limitation, transfers to a third country and further, unathorised disclosure of personal data.

Purpose limitation: The EDPS found that it was not sufficiently defined in the International License Agreement (ILA) which types of personal data are to be processed for which purposes. Instead, there was only a list of purposes stating that Microsoft uses these data for:

  • troubleshooting
  • billing
  • remunerating Microsoft staff, internal reporting and business modelling,
  • financial reporting following the use of the system for own reasons (analytics)
  • to improve the service
  • security risk management
  • protection of intellectual property


These stated purposes were considered to be too vague and general pursuant to the Art 29 WP. The Commission and Microsoft could not demonstrate that all these data were necessary and that a less intrusive collection of data would be insufficient to achieve the purposes cited. In addition, some of these purposes were actually not in the interest of the Commission but for purposes of individual to Microsoft (like remuneration of their personnel). In this case, the processor acts as controller; thus, these purposes and the data used for this purposes should have been precisely defined. Also, if data were used for purposes other than for which they were collected, the compatibility of these new purposes with the original ones should have been assessed.

As a processor, Microsoft should have processed the personal data on documented instructions by the Commission. This was not ensured as the Commission did not issue sufficiently clear documented instructions to Microsoft. For example, though the Commission gave instructions for analytics and improvement of the service, these instructions were not sufficiently detailed and precise and did not exclusively concern uses of data for the purposes of the controller. Some instructions were given orally, but this was not enabled by the ILA and the oral instructions were not documented.

The Commission did not assess whether it is necessary and proportionate to transmit data to Microsoft Ireland and its sub-processors. Further details of this infringement are given under the part on further unauthorised disclosure or personal data.

Transfer to third countries: The Commission transferred personal data to Microsoft, a company established in the US. This raises questions about adequacy for such transfers to a third country.

After the reference date, the Commission adopted the Transatlantic Data Privacy Framework (TDPF), which is an adequacy decision in respect of recipients in the US who register under this framework. The EDPS found that even when the software and data storage is property of Microsoft, it is directly transferred to these subcontractors and cannot therefore be covered by the TDPF to Microsoft US and onward transfer from Microsoft US to other subcontractors under SCCs. The EDPS found that in was not clearly specified in the ILA what types of personal data can be transferred to which recipients in which third country. The Commission also did not appraise the transfers and therefore could not determine whether any supplementary measures are necessary.

In addition, the Commission should have performed a data transfer impact assessment and (as there are no SCCs applicable by EUIs as exporters) should have submitted the DPAs with these processors or subprocessors in third countries to the EDPS for approval. Because it failed to do this, the Commission did not implement effective supplementary measures for these transfers.

Another issue was that the “EU storage guarantee” offered by Microsoft did not cover all types of data. Some data may be accessible to recipients in third countries. The “EU Data Boundary” also has numerous exceptions and exclusions which cover customer data, service generated data, diagnostic data and professional services data.

Further unauthorised disclosure or personal data: A specific reference was made to Article 9, which concerns transmission of personal data by EU institutions to recipients established in the EU. According to the EDPS, this article is also applicable to transmission of personal data to processors of EUIs. Therefore all transmission of personal data should be in the public interest and if the data subject’s legitimate interests may be prejudiced, the controller has to weigh the competing interests and establish that it is proportionate to transmit the personal data. The purpose of management and functioning of the Commission, use of products the staff is familiar with etc. was not found to be the purpose of processing of the personal data by MS. As long as the purposes are not specified, specific and explicit, it is not possible to do this balancing.

In addition, the EDPS found that the Commission did not ensure that transfers take place “solely to allow tasks within the competence of the controller to be carried out”.

The EDPS determined that organisational and contractual measures to restrict/prevent access of third country authorities were not sufficient, and that further technical measures are thus necessary. The EDPS also found that the organisational measures applied are only limiting transfers but does not ensure that transfers are protected. Further, the encryption is only found to be an adequate measure if the controller is in control of the encryption key. In this case, customers control the keys, but Microsoft has access to the encryption key, and thus, even when law does not oblige it to decrypt the data on an authority request, it may do it voluntarily. Also, the ILA does not detail encryption of data other than “customer data”, i.e. diagnostic data, service generated data or professional services data.

The contract also enabled the processor not to notify the Commission about a request of disclosure also when EU or Member State law did not prohibit this notification and enabled recipients in third countries not to notify requests for disclosure also when the law prohibiting it did not constitute a necessary and proportionate measure in a democratic society respecting the essence of the fundamental rights and freedoms recognised by the Charter.

Comment

Although reference to the limitation of transmission of personal data to recipients subject to the GDPR, based on Article 9 EUDPR is specific to EU institutions, there are points of general interest: - precise definition of data transmitted to or accessed by processors and the purposes for which they are used - processors should only use data for the purposes of the controller even when improving services or ensuring security, if this is not the case, they are controllers - access by subcontractors end affiliates of a processor is direct transfer to the subcontractor or affiliate (possibly in third countries) even when they are not legally directly in contractual relationship with the controller and they access data kept by the processor and - adequate safeguards must effectively protect against access of third country recipients, only legal stipulations are not sufficient. The parts of the decision concerning transfer to Microsoft US are not relevant for the present date but may be relevant again when the Transatlantic Data Privacy Framework ceases to apply or is invalidated.

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the English original. Please refer to the English original for more details.

EDPS INVESTIGATION INTO USE OF
MICROSOFT 365
BY THE EUROPEAN COMMISSION
(Case 2021-0518)
Decision
(8 March 2024)
EXCERPT OF FINDINGS OF INFRINGEMENTS
AND OF USE OF CORRECTIVE POWERS
Purpose limitation
I. The EDPS finds that the Commission, on 12 May 2021 (the ‘reference date’) and continuously thereafter until the date of issuing this decision:
a) has infringed Article 4(1)(b) of Regulation (EU) 2018/1725 (the ‘Regulation’) by failing to:
- sufficiently determine the types of personal data collected under the 2021 ILA in relation to each of the purposes of the processing so as to allow those purposes to be specified and explicit;
- ensure that the purposes for which Microsoft is permitted to collect personal data under the 2021 ILA are specified and explicit;
b) has infringed Article 29(3)(a) of the Regulation by insufficiently determining in the 2021 ILA which types of personal data are to be processed for which purposes and by failing to provide sufficiently clear documented instructions for the processing;
c) has infringed Articles 4(2) and 26(1) in conjunction with Article 30 of the Regulation by failing to ensure that Microsoft processes personal data to provide its services only on documented instructions from the Commission;
d) has infringed Article 6 of the Regulation by failing to assess whether the purposes for further processing are compatible with the purposes for which the personal data have initially been collected;
e) has infringed Article 9 of the Regulation by failing to assess whether it is necessary and proportionate to transmit the personal data to Microsoft Ireland and its sub-processors (including affiliates) located in the EEA for a specific purpose in the public interest.
International transfers
II. The EDPS finds that the Commission, on the reference date and, except with regard to point b), second indent, and to point c),1 continuously thereafter until the date of issuing this decision:
a) has infringed Article 29(3)(a) of the Regulation by failing to clearly provide in the 2021 ILA what types of personal data can be transferred to which recipients in which third country and for which purposes, and to give Microsoft documented instructions in that regard;
b) has infringed Articles 4(2), 46 and 48 of the Regulation by failing to provide appropriate safeguards ensuring that personal data transferred enjoy an essentially equivalent level of protection to that in the EEA since it:
- has not appraised, either prior to the initiation of the transfers or subsequently, what personal data will be transferred to which recipients in which third countries and for which purposes, thereby not obtaining the minimum information necessary to determine whether any supplementary measures are required to ensure the essentially equivalent level of protection and whether any effective supplementary measures exist and could be implemented;
- had not implemented effective supplementary measures for transfers to the United States taking place prior to the entry into force of the US adequacy decision, in light of the Schrems II judgment, nor has it demonstrated that such measures existed;
c) has infringed Articles 4(2), 46 and 48(1) and (3)(a) of the Regulation by:
- concluding the SCCs for transfers from the Commission to Microsoft Corporation without having clearly mapped the proposed transfers, concluded a transfer impact assessment and included appropriate safeguards in those SCCs;
- failing to obtain authorisation of those SCCs for transfers from the Commission to Microsoft Corporation from the EDPS pursuant to Article 48(3)(a) of the Regulation;
d) has infringed Article 47(1) of the Regulation read in the light of Articles 4, 5, 6, 9 and 46 by failing to ensure that transfers take place “solely to allow tasks within the competence of the controller to be carried out.”
Unauthorised disclosures
III. The EDPS finds that the Commission, on the reference date and continuously thereafter until the date of issuing this decision:
a) has infringed Article 29(3)(a) of the Regulation, in particular as interpreted in the light of the Schrems II judgment, by not ensuring that, for personal data processed in the EEA, only EU or Member State law prohibits notification to the Commission of a request for disclosure, and that, for personal data processed outside the EEA, any prohibition of such notification constitutes a necessary and proportionate measure in a democratic society respecting the essence of the fundamental rights and freedoms recognised by the Charter;
b) has infringed Articles 4(1)(f), 33(1) and (2) and 36 of the Regulation, by:
- not having assessed the legislation of all third countries to which personal data are envisaged to be transferred under the 2021 ILA and thereby failing to ensure that Microsoft and its sub-processors do not make disclosures of personal data within and outside of the EEA that are not authorised under EU law;
- failing to implement effective technical and organisational measures that would ensure processing in accordance with the principle of integrity and confidentiality within the EEA and, as part of an essential equivalence of the level of protection, also outside of the EEA.
Use of corrective powers
IV. The EDPS has decided to take the following corrective measures in respect of the infringements detailed in sections 3.1.3, 3.2.3 and 3.3.3 of the decision:
1.1. to order the Commission, under Article 58(2)(j) of the Regulation and with effect from 9 December 2024, to suspend all data flows resulting from its use of Microsoft 365 to Microsoft and to its affiliates and sub-processors, located in third countries not covered by an adequacy decision as referred to in Article 47(1) of the Regulation, and to demonstrate the effective implementation of such suspension (infringements set out in paragraphs II.a and b, first indent, and III);
1.2. to order the Commission, under Article 58(2)(e) of the Regulation, to bring the processing operations resulting from its use of Microsoft 365 into compliance, and to demonstrate such compliance, by 9 December 2024, by:
1.2.1. carrying out a transfer-mapping exercise identifying what personal data are transferred to which recipients in which third countries, for which purposes and subject to which safeguards, including any onward transfers (infringements set out in paragraph II.a and b, first indent);
1.2.2. ensuring that all transfers to third countries take place solely to allow tasks within the competence of the controller to be carried out (infringement set out in paragraph II.d);
1.2.3. ensuring, by way of contractual provisions concluded pursuant to Article 29(3) of the Regulation and of other organisational and technical measures, that:
a) all personal data are collected for explicit and specified purposes (infringements set out in paragraph I.a and b);
b) the types of personal data are sufficiently determined in relation to the purposes for which they are processed (infringements set out in paragraph I.a and b);
c) any processing by Microsoft or its affiliates or sub-processors is only carried out on the Commission’s documented instructions, unless, for processing within the EEA, required by EU or Member State law, or, for processing outside of the EEA, third-country law that ensures a level of protection essentially equivalent to that in the EEA, to which Microsoft or its affiliates or sub-processors are subject (infringements set out in paragraphs I.b and c, II.a and III);
d) no personal data are further processed in a manner that is not compatible with the purposes for which the data are collected, in accordance with the criteria laid down in Article 6 of the Regulation (infringement set out in paragraph I.d);
e) any transmissions to Microsoft Ireland or its affiliates and sub-processors located in the EEA comply with Article 9 of the Regulation (infringement set out in paragraph I.e);
f) for personal data processed in the EEA, only EU or Member State law prohibits notification to the Commission of a request for disclosure, and, for personal data processed outside the EEA, any prohibition of such notification constitutes a necessary and proportionate measure in a democratic society respecting the essence of the fundamental rights and freedoms recognised by the Charter, as required by Article 29(3)(a) of the Regulation, in particular as interpreted in light of the Schrems II judgment (infringement set out in paragraph III.a);
g) no disclosures of personal data by Microsoft or its sub-processors take place, unless, for personal data processed within the EEA, the disclosure is required by EU or Member State law, or, for personal data processed outside of the EEA, the disclosure is required by third-country law that ensures a level of protection essentially equivalent to that in the EEA, to which Microsoft or its affiliates or sub-processors are subject (infringements set out in paragraph III.b).
1.3. to issue a reprimand to the Commission under Article 58(2)(b) of the Regulation (all infringements).