The European Commission, the regulatory body of the European Union that frequently launches investigations of major tech companies, including Microsoft, now finds itself on the other side of this fence. A new ruling by the European Data Protection Supervisor (via TechCrunch) says the EC violated the terms of the EU"s data protection rules via the use of the Microsoft 365 productivity service.
In its press release, the EDPS stated the EC "did not sufficiently specify what types of personal data are to be collected and for which explicit and specified purposes when using Microsoft 365." In addition, the EC was charged with not putting in enough safeguards to make sure the data sent by Microsoft outside the EU would have the same level of protection that they are supposed to have inside the EU.
The EDPS says the EC must make changes with its use of Microsoft 365 to ensure they comply with the EU"s data protection laws by December 9, 2024. So far, neither the EC nor Microsoft have commented on today"s ruling.
Ironically, the EC launched an investigation into Microsoft 365 in July 2023. At the time, the EC said they were looking into a claim made back in 2020 by Salesforce that Microsoft had violated the EU"s competition rules by bundling its popular Teams video conferencing software with Microsoft 365.
After that investigation was announced, Microsoft said that it would begin offering Teams as a separate service from Microsoft 365 to the EU and Switzerland starting on October 1, 2023. However, unconfirmed reports claim the EC was not yet satisfied with that move by Microsoft.
The investigation into Microsoft 365 and Teams is still ongoing by the EC, but there"s no word on when it will be completed. There"s also no word on possible penalties the EC might use on Microsoft.