French authorities are reported to be concerned about “the potential risks associated with the use of US-based solutions” for handling European Union digital data.
The European Commission is overly dependant on Microsoft products for its digital workings.
Internal EC documents seen by Euractiv said the body’s reliance on Microsoft “constituted a clear breach of EU data rules”.
These “contradict the executive’s public statements on the matter,” the outlet claimed.
The EC uses Microsoft 365 as its digital workspace, something the European Data Protection Supervisor (EDPS) had warned against in December last year, stating the EC had violated its own data protection rules by doing so.
The EDPS had found that the EC infringed several provisions of Regulation (EU) 2018/1725, the EU’s data protection law for European Union institutions, bodies, offices and agencies (EUIs), including those regarding transfers of personal data outside the EU/European Economic Area (EEA).
In its decision of March 8, 2024, the EDPS had ordered the EC to suspend all data flows resulting from its use of Microsoft 365 to Microsoft and of its affiliates and sub-processors, located in countries outside the EU/EEA and not covered by an adequacy decision (“suspension order”). in addition, it said the body had to bring processing operations resulting from its use of Microsoft 365 into compliance by taking specified actions (“compliance order”).
According to an internal EC document seen by Euractiv: “There are no known credible offerings from European providers.”
European politicians are so addicted to bureaucracy that they now want to regulate things that don’t exist, writes @Peter_Caddle. https://t.co/O3yEWEbLzS
— Brussels Signal (@brusselssignal) December 4, 2023
The memo stated: “The potential risks associated with the use of US-based solutions” , which were of particular worry for French officials.
Concerns regarding “excessive power in the hands of a few non-European companies, risks associated with a single supplier (price hikes, migration difficulties), and the potential loss of in-house competencies” were raised in a recent report by the Directorate-General for Digital Services (DG DIGIT), which Euractiv also claimed to have seen.
“While the report lauds member states’ efforts to develop open-source alternatives to Microsoft, it merely concludes that DG DIGIT would “plan” to evaluate them internally as a “possible complement” for “small scale” initiatives with “very restricted scope”.
The Commission has not yet publicly acknowledged these concerns.
The EU’s top court has directed the European Commission to compensate an individual who alleged his personal data was wrongfully transferred to the US after visiting an EU-hosted website. https://t.co/9V38Z1kfTI
— Brussels Signal (@brusselssignal) January 8, 2025
It has claimed it closely monitored open-source adoption across the EU and described itself as an “open-source software adopter”.
EC spokesperson Thomas Regnier dismissed alternatives to Microsoft. “No functionally equivalent alternatives to Microsoft365 have been identified.”
The body’s dependence on Microsoft left it vulnerable on two fronts, it was claimed: Limited control over sensitive data and weak bargaining power in pricing negotiations.
The importance of the situation was illustrated by a November 21 Council document. In that, the ICDT Cloud and Digital Workplace Subgroup warned of “issues” if talks were not concluded by February this year, noting that relevant parties were “still not converging on content nor price”.
In March 2024, the EDPS ordered the EC to bring its practices into line with the EU’s institutional data protection rules. The EC the Commission responded by suing the EDPS, calling the order an “erroneous interpretation and application” of the EUDPR.
When asked about the situation, the EC spokesperson stated: “[The] deployment of Microsoft365 is compliant with the requirements of [EUDPR] and that it has sufficiently demonstrated this during the EDPS investigation.”
The EDPS is currently reviewing the documents but said in a press release 10 December 10 that “the decision of March 8, 2024 remains fully applicable”.
EU rules ban the use of Microsoft365 for classified content but an anonymous EU official told the Brussels-based website that staff allegedly often downgraded document sensitivity to use Microsoft’s convenient tools.
While the EDPS oversees data protection, no agency specifically monitors the EC’s cybersecurity. CERT-EU could, therefore, theoretically fill this role but has been compromised by its position within DG DIGIT.
The situation could apparently see reduced oversight of the systems involved as the EDPS leadership changes.
Three sources suggested to Euroactiv that the head of the International data flows and protection Unit at the EC, Bruno Gencarelli, may take a softer stance on EC practices than outgoing chief Wiewiórowski if put in that post.
