European Data Protection Supervisor decision on Microsoft 365: Key takeaways

By way of reminder, the EDPS' investigation began following the Schrems II[1] judgment in May 2021 and related to concerns regarding how Microsoft processes the data of its cloud-based service users. Whilst the Decision considers the EDPS' activities under Regulation (EU) 2018/1725 (the relevant data protection law applicable to EU institutions), it is of interest and relevance to private organisations as many of the obligations under the Regulation replicate those set out in the GDPR. 

The Decision highlights the risks and challenges of using cloud-based services from large providers. In this article, we summarise the three key findings of the Decision and consider the implications for clients' data processing agreements.

1. Lack of specificity in the contract regarding categories of personal data and processing purposes

The EDPS found that the Commission's contractual arrangements with Microsoft failed to comply with several requirements of the Regulation. In particular, it did not sufficiently determine the types and categories of personal data collected by Microsoft, nor did it specify and make explicit the purposes for which such data were collected.

The following points were raised to support the EDPS' finding:

1. Description of the data: the contract referenced "services generated data" and "diagnostic data". The Commission provided examples of these types of data in their ROPA and privacy notice. However, the EDPS considered that neither the contract nor the examples allowed "any discernment as to the actual types of personal data falling within these descriptions".
2. Ambiguous language: wording such as "processing for the provision of services" and "processing for business operations" were not precise enough, meaning that instructions for processing were not clearly documented.
3. Compatibility of further processing: the Commission did not assess the compatibility of the purposes for which Microsoft further processed personal data, such as for "ongoing improvement" of its products or services, with the initial purposes for which the data was originally collected.
4. Documented instructions: the Commission did not provide clear and comprehensive instructions to Microsoft on how to process personal data on its behalf, especially regarding data transfers to third countries.
5. Accountability and integrity: the Commission did not ensure that Microsoft processed personal data only on the basis of documented instructions and did not verify Microsoft's compliance with its contractual obligations.
6. Microsoft as the controller: The EDPS did not object to the possibility of Microsoft Ireland determining non-essential means of processing, such as the choice of a particular type of hardware or software or the detailed security measures or other practical aspects of implementation. However, as the Commission had not determined the types of personal data which fell under the "essential means" of processing, it may process data outside or beyond the Commission’s instructions. These circumstances could amount to a decision determining the purposes and means of processing, resulting in the processor's breach of its obligations with the ultimate possibility that it may be considered a controller.
7. The use of artificial intelligence: the contract did not specify that Microsoft used AI as part of the service. The EDPS found that “The use of artificial intelligence, while potentially improving the service provided, inherently poses potentially high risks to data subjects…..The EDPS therefore considers that where the processing involves artificial intelligence or data analytics, the purposes of the processing must specify that in order for them to be considered specified and explicit. The Commission has failed to do that, and in particular in a contract or another binding legal act”.

2. International transfers

The EDPS also found that the Commission failed to comply with its obligations in relation to transfers of personal data outside the European Economic Area ("EEA"), particularly to the United States, before the adoption of the EU-US Data Privacy Framework in 2023. Noting similar points to those set out above, the contract did not specify details regarding the categories of data, recipients, jurisdictions or purposes. The EDPS identified the following shortcomings:

• Transfer mapping and Transfer Impact Assessments (TIA): the Commission did not adequately map its transfers or carry out proper TIAs or provide sufficient information to determine the need for supplementary measures to ensure an adequate level of protection.
• Specific purpose limitation for transfers: the Commission did not ensure that the transfers of personal data to third countries were solely for the performance of tasks within its competence, and did not prevent or limit the access of third parties to such data.
• Effective supplementary measures: the supplementary measures put forward by the Commission and Microsoft were found to be ineffective. The measures included encryption, pseudonymisation and specific contractual clauses. The EDPS concluded that none of the supplementary measures, considered individually or combined, were effective in ensuring an essentially equivalent level of protection as required by the Regulation and the Schrems II Judgement.

3. Unauthorised disclosures

The EDPS also found that the Commission did not ensure that Microsoft notified and redirected any requests for data disclosure from third parties, such as law enforcement or intelligence agencies, to the Commission, and did not challenge such requests.

Commentary

Throughout the decision the EDPS referred to the European Data Protection Board's Guidelines 07/2020 which provide guidance on the level of detail required to be included in a data processing agreement under Article 28 GDPR. In particular, the type of personal data being processed under the contract “should be specified in the most detailed manner as possible”. The EDPS did not consider that this was the case and, although they accepted that the Commission could refer to its ROPA and Privacy Statement to assist, these documents didn't support the documentation of the in scope categories of data in this instance.

The EDPS also did not accept Microsoft using the "layered approach" to provide more clarity regarding the categories of data processed. Whilst this is acceptable in privacy notices, such a layered approach cannot apply to the contractual relationship between a controller and processor, where the types of personal data and purposes of the processing must be specified in a binding contract.

It is not uncommon, particularly for cloud-based services contracts, to contain a high level summary of data only, particularly if contracting on the service providers terms. Microsoft argued: "It is market practice for comprehensive and dynamic data processing services such as cloud services, to be described in general contractual language – as describing it in overly granular detail would impose unreasonable and counterproductive burdens on the contractual parties - including because sensitive and ever-improving cybersecurity measures cannot be fully captured in any static set of contracts or public statements".

The EDPS rejected Microsoft's argument, stating that "any market practice that does not comply with the law cannot be deemed acceptable and complaint merely because it might be wide spread". It concluded that it had seen no evidence to demonstrate that instructions were suggested by Microsoft Ireland and accepted by the Commission in such a manner that would meet the requirements of the Regulation.

We will watch with interest to see if Microsoft challenges this Decision. In any event, clients should keep in the mind the level of detail the EDPS has suggested is required and the fundamental importance of clear explanation of the categories of personal data and processing purposes, particularly in contractual schedules. In data processing agreements, the EDPS comments on the use of AI and the "layered approach" of service provider's contracting structures are also worthy of consideration by clients in their existing contracting arrangements.

[1] Case C-311/18 Data Protection Commissioner v Facebook Ireland and Maximillian Schrems