European Union: Issued EDPS ruling regarding its investigation into the legality of the European Commission’s use of Microsoft 365

On 11 March 2024, the European Data Protection Supervisor (EDPS) issued its ruling regarding the investigation into the legality of the European Commission’s use of Microsoft 365. The EDPS opened an investigation in May 2021 as part of the EDPS's role in ensuring compliance with EU data protection regulations. In particular, the EDPS has found that the European Commission's use of Microsoft 365 infringes several key data protection rules, including those regarding the transfer of personal data outside the EU/European Economic Area (EEA) and the specification of data collection purposes. Due to this, the EDPS imposed corrective measures, including suspending data flows to Microsoft and its affiliates in countries without an adequacy decision and requiring processing operations to comply with EU data protection law by 9 December 2024.