European Union: Issued EC appeal to EDPS ruling regarding its investigation into the legality of the European Commission’s use of Microsoft 365

On 17 May 2024, the European Commission (EC) appealed the ruling of the European Data Protection Supervisor (EDPS) regarding its investigation into the legality of the European Commission's use of Microsoft 365. The EC demanded the court to annul the EDPS ruling, based on pleas, which allege erroneous interpretation and application of several articles of the Regulation (EU) 2018/1725 on the protection of natural persons with regard to the processing of personal data by the Union institutions, bodies, offices and agencies and on the free movement of such data (EUDPR). The EDPS opened an investigation in May 2021 as part of the EDPS's role in ensuring compliance with EU data protection regulations. In particular, the EDPS had found that the European Commission's use of Microsoft 365 infringes several key data protection rules, including those regarding the transfer of personal data outside the EU/European Economic Area (EEA) and the specification of data collection purposes. Due to this, the EDPS imposed corrective measures, including suspending data flows to Microsoft and its affiliates in countries without an adequacy decision and requiring processing operations to comply with EU data protection law by 9 December 2024.