The European Commission’s use of Microsoft 365 infringes data protection law for EU institutions and bodies. This is the statement by the European Data Protection Supervisor (EDPS), the independent supervisory authority for the protection of personal data and privacy for EU institutions, as published in its press release EDPS/2024/05 of 11 March 2024.
The EDPS has ordered the Commission to suspend all relevant data flows to Microsoft in countries outside the European Union (EU)/European Economic Area (EEA). The EDPS has also ordered the Commission to bring operations with Microsoft 365 into compliance with Regulation (EU) 2018/1725, the data protection law for EU institutions. The Commission must demonstrate compliance with both orders by 9 December 2024.
The reason is that the Commission has infringed Regulation (EU) 2018/1725. In particular, the Commission has failed to provide appropriate safeguards when transferring personal data outside the EU/EEA. Furthermore, the Commission did not sufficiently specify which types of personal data are to be collected and for which explicit and specified purposes when using Microsoft 365. The Commission’s infringements as data controller also relate to data processing, including transfers of personal data, carried out on its behalf.
Lately, the Commission is flirting dangerously with the dark side of personal data usage. Generation 2004 already highlighted the abuse of private phones, bad recruitment/testing practices by EPSO and the unnecessary sharing of personal and sensitive information internally. We listed some of the contradictions in guidance to staff already in 2022 and raise the issues of risk assessment and legal framework for fingerprint access to buildings.
The 20.12.2023 plenary of the Central Staff Committee (CSC), the forum where Generation 2004 and other trade unions and staff associations (OSPs) collaborate on issues affecting all staff, requested that the Director-General for Human Resources and Security and the Principal Adviser Data Protection Officer clarify the data-protection rules that were (not) applied when requesting staff join Signal groups supposedly for business-continuity purposes. The staff committee suggested there that colleagues who have not explicitly agreed in written to join a Signal group be removed from that group.
We believe that this falls within the realm of data minimisation: many staff shared their private mobile numbers and joined WhatsApp groups at the beginning of the pandemic while they were without access to the network or without a computer, but find themselves now expected to join the next work group (and the next one) and to respond to messages day and night. Many staff would now like to leave those work groups (we have corporate applications for communication during working time and sysper already contains our phone numbers for those who need access to it) without it being announced to everyone ’XX left the group’ and without having to justify this choice or being judged on it. It is inconsistent for employers anywhere to talk about a disconnection period/digital detox and work-life balance on the one hand and then to insist on staff belonging to work groups on private devices on the other.
As reproduced in the minutes of Central Staff Committee of 25/01/24, HR confirmed that there is no obligation to provide private phone numbers for any work-related matter, but the Commission has yet to reply formally to the staff committee letter.
Generation 2004 keeps insisting the Commission apply data-protection law in full and respect the privacy of staff.
If you appreciate our work, please consider becoming a member of Generation 2004.