The European Commission has been accused of breaking its own data protection rules once again. (Photo by Omar Havana/Getty Images)


EC accused of breaking own data-protection rules – again


The European Commission has once again been accused of breaking its own data-protection rules.

Having just been forced to address claims it had breached General Data Protection Regulation standards last year, the European Union’s official European Data Protection Supervisor (EDPS) has now concluded the body has been breaking the law regarding how it handles personal data “behind closed doors”.

According to a press release by the EDPS, the EC’s use of Microsoft’s 365 service, a software package including cloud-based Word, Excel and PowerPoint applications, is in breach of the bloc’s data protection legislation for official EU institutions, groups, offices and agencies.

The body’s main complaint regards the transfer of sensitive personal data to third-party companies operating outside the EU. The EDPS claims the EC did not put the necessary safeguards in place to make sure such data is handled correctly.

“The Commission has failed to provide appropriate safeguards to ensure that personal data transferred outside the EU/EEA are afforded an essentially equivalent level of protection as guaranteed in the EU/EEA,” the EDPS said on March 11.

It goes on to accuse the EC of being too vague in its contract with Microsoft regarding what personal data the company is allowed to collect from the EC and for what purposes.

The watchdog has now ordered the EC to “suspend all data flows” resulting from the use of Microsoft 365 to Microsoft – and any of its partner companies operating outside the European Union – unless there is a plan in place ensuring the proper protection of personal data for each company.

Responding to the ruling, EC digital-economy spokesman Johannes Bahrke insisted the body was committed to fulfilling its data-protection obligations, arguing that remained a “top priority”.

He did say the EC was concerned about the impact the ruling could have on its work.

“We are committed to complying with our legal obligations,” Bahrke added.

“Compliance with the EDPS decision unfortunately seems likely to undermine the current high level of mobile and integrated IT services.

“This applies not only to Microsoft but potentially also to other commercial IT services,” he warned, adding that the EC still needed to thoroughly “analyse” the ruling before commenting further.

The EDPS ruling comes one week after the European Commissioner for Home Affairs Ylva Johansson was forced to address claims that the body had violated the GDPR with one of its social-media advertising campaigns.

The campaign is alleged to have used sensitive data belonging to users – such as their religious and political beliefs – to target the advertisement, which would break commercial data-protection rules.

“The Commission did not intend to trigger the processing of special categories of personal data,” Johansson said, regarding the issue.

“If such special categories were processed, this should not have happened.”