Want to read Slashdot from your mobile device? Point it at m.slashdot.org and keep reading!

 



Forgot your password?
typodupeerror
×
EU Cloud Microsoft Privacy

EU's Use of Microsoft 365 Found To Breach Data Protection Rules (techcrunch.com) 46

An anonymous reader quotes a report from TechCrunch: A lengthy investigation into the European Union's use of Microsoft 365 has found the Commission breached the bloc's data protection rules through its use of the cloud-based productivity software. Announcing its decision in a press release today, the European Data Protection Supervisor (EDPS) said the Commission infringed "several key data protection rules when using Microsoft 365." "The Commission did not sufficiently specify what types of personal data are to be collected and for which explicit and specified purposes when using Microsoft 365," the data supervisor, Wojciech Wiewiorowski, wrote, adding: "The Commission's infringements as data controller also relate to data processing, including transfers of personal data, carried out on its behalf." The EDPS has imposed corrective measures requiring the Commission to address the compliance problems it has identified by December 9 2024, assuming it continues to use Microsoft's cloud suite. The regulator, which oversees' EU institutions' compliance with data protection rules, opened a probe of the Commission's use of Microsoft 365 and other U.S. cloud services back in May 2021. [...]

The Commission confirmed receipt of the EDPB's decision and said it will need to analyze the reasoning "in detail" before taking any decision on how to proceed. In a series of statements during a press briefing, it expressed confidence that it complies with "the applicable data protection rules, both in fact and in law." It also said "various improvements" have been made to contracts, with the EDPS, during its investigation. "We have been cooperating fully with the EDPS since the start of the investigation, by providing all relevant documents and information to the EDPS and by following up on the issues that have been raised in the course of the investigation," it said. "The Commission has always been ready to implement, and grateful for receiving, any substantiated recommendation from the EDPS. Data protection is a top priority for the Commission."

"The Commission has always been fully committed to ensuring that its use of Microsoft M365 is compliant with the applicable data protection rules and will continue to do so. The same applies to all other software acquired by the Commission," it went on, further noting: "New data protection rules for the EU institutions and bodies came into force on 11 December 2018. The Commission is actively pursuing ambitious and safe adequacy frameworks with international partners. The Commission applies those rules in all its processes and contracts, including with individual companies such as Microsoft." While the Commission's public statements reiterated that it's committed to compliance with its legal obligations, it also claimed that "compliance with the EDPS decision unfortunately seems likely to undermine the current high level of mobile and integrated IT services." "This applies not only to Microsoft but potentially also to other commercial IT services. But we need to first analyze the decision's conclusions and the underlying reasons in detail. We cannot provide further comments until we have concluded the analysis," it added.

This discussion has been archived. No new comments can be posted.

EU's Use of Microsoft 365 Found To Breach Data Protection Rules

Comments Filter:
  • by e065c8515d206cb0e190 ( 1785896 ) on Monday March 11, 2024 @05:24PM (#64308005)
    When rules are so convoluted that rulemakers end up breaking them
    • by Anonymous Coward
      The EC has a history of ignoring GDPR when it suits them and their language in this release continues that tradition by indicating that they consider any advice from EDPS is advisory at best.
    • by Dagger2 ( 1177377 ) on Monday March 11, 2024 @08:09PM (#64308465)

      I think it's less the rules being convoluted and more that the sheer lack of care about privacy is so utterly pervasive in the IT industry.

      Their productivity software should never have been running anywhere other than in-house in the first place.

      • I think it's less the rules being convoluted and more that the sheer lack of care about privacy is so utterly pervasive in the IT industry.

        Lack of care strikes me as not quite on-point. In fact, it's a distinct deep-seated care for what should be private being available to the industry. For the purposes of "improving user experience." (i.e. selling all that ripe data for targeting advertising.)

        Their productivity software should never have been running anywhere other than in-house in the first place.

        This I agree with. And I find it incredibly frustrating that we've become so enamored in the business world with shirking responsibility to "that vendor" that we've collectively given up nearly all control over our in-house systems. I know the quote is a

      • by jrepin ( 667425 )
        Exactly. Couldn't agree more. Spyware stuff like this should be outlawed and prohibited and some smart European countries already did this with Microsoft and Google cloud in public institutions and schools. All software in use by governments and public instiutions that are financed by taxes should adhere to principle of Public Money, Public Code [publiccode.eu] and use only libre and opensource software. Not to mention they should insist on using only free and open formats (like OpenDocument Format for office documents), p
    • ... when lawmakers are at the IT skill-level of a 1st-grader.

      The non-sense that get's put out by lawmakers has nothing to do with the usefulness and the quite very good design of the EU GDPR and everything to do with the abysmal lack of culture concerning IT and the dealing and with and usage of digital devices and the protocols, services and applications that come with them.

      Until learning the very basics of handling an end-user device becomes mandatory for children, like learning to read and to write, this

    • The rules aren't convoluted at all. The GDPR isn't a particularly long piece of legislation. The rule makers just weren't interested in following them.

    • by AmiMoJo ( 196126 )

      You say that as if the EU is some kind of monolithic organization with a single mind guiding all actions.

      It's actually pretty common for the legislative part of government to pass a law, and then some other branch find themselves on the wrong side of it. For example, Birmingham City Council recently had to pay out huge sums of back-pay to women who were not paid equally to men, under rules introduced by the UK government.

  • Breaking News - EU fine themselves €30B for GDPR violations.

  • Time to develop _alternatives_. MS is going down the drains and not a good strategic dependency.

    • LibreOffice is there for the using. And no we don't need this cloud crap.
      • by gweihir ( 88907 )

        Well, one of the insurances I audit has that as a vendor-replacement strategy for o365. They needed to transfer the most important templates, but that was it. Not that hard to do. You just need to do it.

        • Well, one of the insurances I audit has that as a vendor-replacement strategy for o365. They needed to transfer the most important templates, but that was it. Not that hard to do. You just need to do it.

          Some people and companies have a lot invested in Excel spreadsheets which use capabilities not available in Calc. And I hear moving from Word to Writer can be a major pain for some people; I've been off Microsoft forever and was never an office suite power user anyway so I don't have much experience of that. And I'm not sure about porting from Access to Base. But yes, moving to Libre Office would be a great idea.

          Unfortunately, a lot of companies have IT departments whose quality of support isn't even up to

          • by higuita ( 129722 )

            True, some excel docs are harder to port to libreoffice, but lets try a radical idea... how about porting that to a real program, say local or even better, web based...
            instead of having 20 docs with random names, outdated formulas or data... or both, instead of lost files and data, virus or mistakes, make a f*ck web site that do whatever you need... load the data via csv or other ways, process that in a good way, store in a DB or a S3 like storage and have all the people automatically use the latest version

            • True, some excel docs are harder to port to libreoffice, but lets try a radical idea... how about porting that to a real program, say local or even better, web based...

              You had me until that "web based" part. If we're using the web to create or manipulate files and data when they can easily and cheaply be done locally, then we're doing it wrong. Taking work that's not resource-intensive and putting it on servers you don't control, at the end of a long wire that can and will break, is just stupid.

              • by pjt33 ( 739471 )

                The jump from "web-based" to "on servers you don't control" is a non sequitur. It's perfectly possible for a large organisation to host its own software on its own servers.

              • Re: (Score:2, Flamebait)

                by drinkypoo ( 153816 )

                You had me until that "web based" part. If we're using the web to create or manipulate files and data when they can easily and cheaply be done locally, then we're doing it wrong. Taking work that's not resource-intensive and putting it on servers you don't control, at the end of a long wire that can and will break, is just stupid.

                You can control your own web servers. Some of us have been doing it for decades. Using a web interface potentially means your application is device agnostic. Most of the things people do with big complicated spreadsheets would better be done with an app+database model. You could for example load your data into a database, access it from Drupal with the Views Database Connector module, and create logic with the ECA and BPMN.io modules. Then the logic can actually be exported, unlike in Excel where it's trapp

                • Thinking using a web interface means you're hosting remotely is just stupid.

                  Fair point - although I'm not sure I was being entirely stupid. The vast majority of people - from individuals to big businesses - now host their web-based stuff remotely rather than on their own in-house servers. I think that's stupid, but if you prefer, I'll dial it back a notch and call it "unwise".

                  • Well, I do think it is stupid to remotely host everything. Outsourcing is a three-edged sword, or something.

                  • by higuita ( 129722 )

                    hey, if a company is ok with hosting EVERYTHING in the cloud, you can do that also here

              • by higuita ( 129722 )

                i'm talking about a company owned servers, so you centralize those editings. think like a fileserver, but with a webserver and some code to process what the excel would do (you can choose your preferred language, C#, go, python, perl, php, etc, whatever you have inhouse or just hire a developer to do and maintain that)

                you don't need to go to a cloud server

                you can even do locally, as long it auto-updates to make sure you are always using the same version everywhere

      • In business and large organizations like the EU, the ability to share documents is the real selling point of Office, not the editing of documents. This sharing (via the cloud) and storage in the cloud, is what got them into trouble.

        • Maybe. Before we had Office 365, Office did not need any selling point besides the fact that everyone else was using it. And before we had Office 365, we often had document management systems that were actually any good*, and allowed easy sharing and managing access to documents. But it seems we have largely forgotten about those**

          *) Sharepoint is definitely not one of them, I'd hesitate to call it a document management system of any quality.
          **) Thanks to Sharepoint.
          • Those document management systems of the past, like SharePoint, were clunky and difficult to manage. OneDrive is seamless and generally "just works." It solves a problem many companies have faced in the past: How to ensure that local documents are backed up and shareable, in a secure way, controllable by IT. No major products in the past, have come close to offering what OneDrive does today.

    • by guruevi ( 827432 )

      They had that option a few decades ago, instead of going with Linux and OpenOffice they decided to regulate Microsoft instead to the point they believed they could continue with the Windows+Office and took the winds out of the sails for many open source projects.

      Now all their data is in the Microsoft and Google clouds, good luck getting it out.

      • by gweihir ( 88907 )

        Indeed. Complete strategic failure.

      • That wasn't the EU, it was the City of Munich who made their own Linux distro based on Ubuntu and Openoffice.
        They switched back to Windows in slightly questionable circumstances. [wikipedia.org]
        I like this bit in the Wikipedia article:

        Reiter denied that he had initiated the reversal in gratitude for Microsoft moving its German headquarters from Unterschleißheim back to Munich.

        That seems to make it pretty clear whatt happened there.

        • by higuita ( 129722 )

          it also had technical problems, the distro and openoffice was frozen, so after some years, you had much better software and fixes on recent distros and libreoffice, but they could not upgrade and had to backport fixes or workaround those. It was a good first attempt, but just like many other migrations, some initial decisions returned to bite then later on and when managing thousands of machines, they didn't want to have multiple versions. Sadly they could have solved many of that by using ansible instead o

        • by guruevi ( 827432 )

          That was just one example, Office Open XML vs Open Office XML was the regulatory failure. The EU demanded open formats and then collaborated with Microsoft on writing the law which today is still not sufficiently open. At every point the EU regulated Microsoft back into EU government business and shaped a monopoly around Microsoft. Now they’re complaining that they’re all stuck in the cloud, well, we told you back in the day when it was still Micro$oft and Bill Gates depicted as the borg.

  • Does this mean that Microsoft gets to fine the EU a few billion dollars?

    I mean, turnabout is fair play isn't it? Where is the big penalty when the EU violates its own rules?

  • I have a simple solution: EU administration can run its own cloud with Collabora Office/Only Office/NextOffice/NextCloud and LibreOffice/Linux on their desktops. Intentionally I mentioned Collabora, since that company can provide support and data safety.

A consultant is a person who borrows your watch, tells you what time it is, pockets the watch, and sends you a bill for it.

Working...