EU’s data protection supervisor reviewing Microsoft 365 report



Back in March, the European Commission’s use of Microsoft 365 was found to have broken the bloc’s data protection rules. Since then, we haven’t heard much about this awkward situation. But Monday was the deadline for the EU’s executive to respond to the European Data Protection Supervisor’s (EDPS) order requiring it to suspend any infringing data flows and fix its contracts with Microsoft.

On Tuesday, EDPS Wojciech Wiewiórowski confirmed receipt of the Commission’s report, which it said it is now reviewing to determine whether or not the bloc has complied with the March order. “Given the extensive scope of the information and the complexity of the processing operations involved, this analysis will require careful consideration and will be conducted thoroughly within an appropriate timeframe,” Wiewiórowski added, suggesting another long period of radio silence will follow.

The Commission and Microsoft are also both challenging the EDPS decision (cases T-262/24 and T-265/24), which further explains the EDPS’ minimalist remarks now. But 2025 looks like a pivotal year for the issue.




Source