Following its investigation, the EDPS has found that the European Commission (Commission) has infringed several key data protection rules when using Microsoft 365. In its decision, the EDPS imposes corrective measures on the Commission.

The EDPS has found that the Commission has infringed several provisions of Regulation (EU) 2018/1725, the EU’s data protection law for EU institutions, bodies, offices and agencies (EUIs), including those on transfers of personal data outside the EU/European Economic Area (EEA).

    • Jure RepincOP
      link
      fedilink
      English
      199 months ago

      They should ditch them for so many other reasons too. Also Public Money, Public Code. Al public institutions should only use libre and opensurce software. The only way to preserve privacy, freedom, and digital sovereignty.

      • @[email protected]
        link
        fedilink
        89 months ago

        Some European entities have already jumped to LibreOffice. It’s a European-made drop-in replacement. I’m surprised at them not simply ordering the Commission to switch immediately.

        • Joël de Bruijn
          link
          fedilink
          29 months ago

          LibreOffice by itself isn’t a drop in replacement for Office365.

          LibreOffice + NextCloud + Jitsi/Bluebutton + Grafana + bunch of other services together could be.

          If NextCloud does the storage / mail / calendaring/ contacts / tasks / notes etc.

          And if the hoster ties some loose ends for Forms, Powerautomate, Kanban oh and everything Azure.

            • Joël de Bruijn
              link
              fedilink
              19 months ago

              Then we can safely agree just LibreOffice alone and by itself is even more “ridiculous” I think.

              Also “could be” icw “loose ends” carry a lot of weight I think.

              Also Enterprise differ in requirements so there are organizations for which current NC would suffice.

      • @TCB13
        link
        English
        -19 months ago

        Your assessment is all fun and games until you realizasse they don’t have another option right now than using Microsoft 365. They’ll simply pressure Microsoft into implementing a few changes to comply with the legislation and move on. Microsoft also doesn’t want their large governmental customers so they’ll do it.

    • BrikoX
      link
      fedilink
      English
      89 months ago

      At least temporarily, yes.

      The EDPS has therefore decided to order the Commission, effective on 9 December 2024, to suspend all data flows resulting from its use of Microsoft 365 to Microsoft and to its affiliates and sub-processors located in countries outside the EU/EEA not covered by an adequacy decision. The EDPS has also decided to order the Commission to bring the processing operations resulting from its use of Microsoft 365 into compliance with Regulation (EU) 2018/1725. The Commission must demonstrate compliance with both orders by 9 December 2024.

      Source: https://www.edps.europa.eu/system/files/2024-03/EDPS-2024-05-European-Commission_s-use-of-M365-infringes-data-protection-rules-for-EU-institutions-and-bodies_EN.pdf

  • @[email protected]
    link
    fedilink
    79 months ago

    Probable course of action is MSFT implementing a hotfix in the next 3-6 months, that will be nowhere near to address the topic.

    Another 2 years of EDPS investigation.

    Then MSFT will release another patch 3-6 months after that actually solves the issue.

    But in the meantime, they would have implemented another mechanism to spy on users.

    Rince and repeat.

    • Ephera
      link
      fedilink
      29 months ago

      I don’t think, you can hotfix this. Microsoft is a US company and therefore by US law (PATRIOT & CLOUD act) required to violate EU data protection laws (unless they retract from the EU market, of course).

      I mean, that it took the EU this long to react to something that’s clearly been amiss since the GDPR went into force, that certainly doesn’t have my hopes high, but I don’t think Microsoft needs to be involved to filibuster the enforcememt of this.