EU's Use of Microsoft 365 Found To Breach Data Protection Rules (techcrunch.com) 46
An anonymous reader quotes a report from TechCrunch: A lengthy investigation into the European Union's use of Microsoft 365 has found the Commission breached the bloc's data protection rules through its use of the cloud-based productivity software. Announcing its decision in a press release today, the European Data Protection Supervisor (EDPS) said the Commission infringed "several key data protection rules when using Microsoft 365."
"The Commission did not sufficiently specify what types of personal data are to be collected and for which explicit and specified purposes when using Microsoft 365," the data supervisor, Wojciech Wiewiorowski, wrote, adding: "The Commission's infringements as data controller also relate to data processing, including transfers of personal data, carried out on its behalf." The EDPS has imposed corrective measures requiring the Commission to address the compliance problems it has identified by December 9 2024, assuming it continues to use Microsoft's cloud suite. The regulator, which oversees' EU institutions' compliance with data protection rules, opened a probe of the Commission's use of Microsoft 365 and other U.S. cloud services back in May 2021. [...]
The Commission confirmed receipt of the EDPB's decision and said it will need to analyze the reasoning "in detail" before taking any decision on how to proceed. In a series of statements during a press briefing, it expressed confidence that it complies with "the applicable data protection rules, both in fact and in law." It also said "various improvements" have been made to contracts, with the EDPS, during its investigation. "We have been cooperating fully with the EDPS since the start of the investigation, by providing all relevant documents and information to the EDPS and by following up on the issues that have been raised in the course of the investigation," it said. "The Commission has always been ready to implement, and grateful for receiving, any substantiated recommendation from the EDPS. Data protection is a top priority for the Commission."
"The Commission has always been fully committed to ensuring that its use of Microsoft M365 is compliant with the applicable data protection rules and will continue to do so. The same applies to all other software acquired by the Commission," it went on, further noting: "New data protection rules for the EU institutions and bodies came into force on 11 December 2018. The Commission is actively pursuing ambitious and safe adequacy frameworks with international partners. The Commission applies those rules in all its processes and contracts, including with individual companies such as Microsoft." While the Commission's public statements reiterated that it's committed to compliance with its legal obligations, it also claimed that "compliance with the EDPS decision unfortunately seems likely to undermine the current high level of mobile and integrated IT services." "This applies not only to Microsoft but potentially also to other commercial IT services. But we need to first analyze the decision's conclusions and the underlying reasons in detail. We cannot provide further comments until we have concluded the analysis," it added.
The Commission confirmed receipt of the EDPB's decision and said it will need to analyze the reasoning "in detail" before taking any decision on how to proceed. In a series of statements during a press briefing, it expressed confidence that it complies with "the applicable data protection rules, both in fact and in law." It also said "various improvements" have been made to contracts, with the EDPS, during its investigation. "We have been cooperating fully with the EDPS since the start of the investigation, by providing all relevant documents and information to the EDPS and by following up on the issues that have been raised in the course of the investigation," it said. "The Commission has always been ready to implement, and grateful for receiving, any substantiated recommendation from the EDPS. Data protection is a top priority for the Commission."
"The Commission has always been fully committed to ensuring that its use of Microsoft M365 is compliant with the applicable data protection rules and will continue to do so. The same applies to all other software acquired by the Commission," it went on, further noting: "New data protection rules for the EU institutions and bodies came into force on 11 December 2018. The Commission is actively pursuing ambitious and safe adequacy frameworks with international partners. The Commission applies those rules in all its processes and contracts, including with individual companies such as Microsoft." While the Commission's public statements reiterated that it's committed to compliance with its legal obligations, it also claimed that "compliance with the EDPS decision unfortunately seems likely to undermine the current high level of mobile and integrated IT services." "This applies not only to Microsoft but potentially also to other commercial IT services. But we need to first analyze the decision's conclusions and the underlying reasons in detail. We cannot provide further comments until we have concluded the analysis," it added.
That's what happens (Score:4, Insightful)
Re: (Score:1)
Re:That's what happens (Score:4, Insightful)
I think it's less the rules being convoluted and more that the sheer lack of care about privacy is so utterly pervasive in the IT industry.
Their productivity software should never have been running anywhere other than in-house in the first place.
Re: (Score:2)
I think it's less the rules being convoluted and more that the sheer lack of care about privacy is so utterly pervasive in the IT industry.
Lack of care strikes me as not quite on-point. In fact, it's a distinct deep-seated care for what should be private being available to the industry. For the purposes of "improving user experience." (i.e. selling all that ripe data for targeting advertising.)
Their productivity software should never have been running anywhere other than in-house in the first place.
This I agree with. And I find it incredibly frustrating that we've become so enamored in the business world with shirking responsibility to "that vendor" that we've collectively given up nearly all control over our in-house systems. I know the quote is a
Re: (Score:2)
Re: (Score:2)
cooff... you have free software (both as beer and speech) that can replace all that and cost much less
libreoffice have both local and web based solutions and it works well... sure, a few things are different, but peoples also had to learn the different things in the office 365 and didn't complained, nor the huge amount of people that use google docs and stopped using MS office... both prove that while people complain when something change, with a little of time, they accept the change. and libreoffice is no
No, absolutely not. That's what happens ... (Score:3)
... when lawmakers are at the IT skill-level of a 1st-grader.
The non-sense that get's put out by lawmakers has nothing to do with the usefulness and the quite very good design of the EU GDPR and everything to do with the abysmal lack of culture concerning IT and the dealing and with and usage of digital devices and the protocols, services and applications that come with them.
Until learning the very basics of handling an end-user device becomes mandatory for children, like learning to read and to write, this
Re: (Score:2)
The rules aren't convoluted at all. The GDPR isn't a particularly long piece of legislation. The rule makers just weren't interested in following them.
Re: (Score:2)
You say that as if the EU is some kind of monolithic organization with a single mind guiding all actions.
It's actually pretty common for the legislative part of government to pass a law, and then some other branch find themselves on the wrong side of it. For example, Birmingham City Council recently had to pay out huge sums of back-pay to women who were not paid equally to men, under rules introduced by the UK government.
News - EU fine themselves €30B for GDPR viola (Score:2)
Breaking News - EU fine themselves €30B for GDPR violations.
Re: News - EU fine themselves €30B for GDPR v (Score:1)
Thatâ(TM)s one way of raising taxes and getting themselves out of the budget shortages.
Such a surprise (Score:2)
Time to develop _alternatives_. MS is going down the drains and not a good strategic dependency.
Re: (Score:2)
Re: (Score:2)
Well, one of the insurances I audit has that as a vendor-replacement strategy for o365. They needed to transfer the most important templates, but that was it. Not that hard to do. You just need to do it.
Re: (Score:2)
Well, one of the insurances I audit has that as a vendor-replacement strategy for o365. They needed to transfer the most important templates, but that was it. Not that hard to do. You just need to do it.
Some people and companies have a lot invested in Excel spreadsheets which use capabilities not available in Calc. And I hear moving from Word to Writer can be a major pain for some people; I've been off Microsoft forever and was never an office suite power user anyway so I don't have much experience of that. And I'm not sure about porting from Access to Base. But yes, moving to Libre Office would be a great idea.
Unfortunately, a lot of companies have IT departments whose quality of support isn't even up to
Re: (Score:3)
True, some excel docs are harder to port to libreoffice, but lets try a radical idea... how about porting that to a real program, say local or even better, web based...
instead of having 20 docs with random names, outdated formulas or data... or both, instead of lost files and data, virus or mistakes, make a f*ck web site that do whatever you need... load the data via csv or other ways, process that in a good way, store in a DB or a S3 like storage and have all the people automatically use the latest version
Re: (Score:2)
True, some excel docs are harder to port to libreoffice, but lets try a radical idea... how about porting that to a real program, say local or even better, web based...
You had me until that "web based" part. If we're using the web to create or manipulate files and data when they can easily and cheaply be done locally, then we're doing it wrong. Taking work that's not resource-intensive and putting it on servers you don't control, at the end of a long wire that can and will break, is just stupid.
Re: (Score:2)
The jump from "web-based" to "on servers you don't control" is a non sequitur. It's perfectly possible for a large organisation to host its own software on its own servers.
Re: (Score:2, Flamebait)
You had me until that "web based" part. If we're using the web to create or manipulate files and data when they can easily and cheaply be done locally, then we're doing it wrong. Taking work that's not resource-intensive and putting it on servers you don't control, at the end of a long wire that can and will break, is just stupid.
You can control your own web servers. Some of us have been doing it for decades. Using a web interface potentially means your application is device agnostic. Most of the things people do with big complicated spreadsheets would better be done with an app+database model. You could for example load your data into a database, access it from Drupal with the Views Database Connector module, and create logic with the ECA and BPMN.io modules. Then the logic can actually be exported, unlike in Excel where it's trapp
Re: (Score:2)
Thinking using a web interface means you're hosting remotely is just stupid.
Fair point - although I'm not sure I was being entirely stupid. The vast majority of people - from individuals to big businesses - now host their web-based stuff remotely rather than on their own in-house servers. I think that's stupid, but if you prefer, I'll dial it back a notch and call it "unwise".
Re: (Score:1)
Well, I do think it is stupid to remotely host everything. Outsourcing is a three-edged sword, or something.
Re: (Score:2)
hey, if a company is ok with hosting EVERYTHING in the cloud, you can do that also here
Re: (Score:3)
i'm talking about a company owned servers, so you centralize those editings. think like a fileserver, but with a webserver and some code to process what the excel would do (you can choose your preferred language, C#, go, python, perl, php, etc, whatever you have inhouse or just hire a developer to do and maintain that)
you don't need to go to a cloud server
you can even do locally, as long it auto-updates to make sure you are always using the same version everywhere
Re: (Score:2)
citation needed, never eared of that, nor see any reason for that... maybe some secret 3 letters agency that needs to have some plugins installed to manage secret info?
Re: (Score:3)
In business and large organizations like the EU, the ability to share documents is the real selling point of Office, not the editing of documents. This sharing (via the cloud) and storage in the cloud, is what got them into trouble.
Re: (Score:2)
*) Sharepoint is definitely not one of them, I'd hesitate to call it a document management system of any quality.
**) Thanks to Sharepoint.
Re: (Score:2)
Those document management systems of the past, like SharePoint, were clunky and difficult to manage. OneDrive is seamless and generally "just works." It solves a problem many companies have faced in the past: How to ensure that local documents are backed up and shareable, in a secure way, controllable by IT. No major products in the past, have come close to offering what OneDrive does today.
Re: Such a surprise (Score:3, Insightful)
They had that option a few decades ago, instead of going with Linux and OpenOffice they decided to regulate Microsoft instead to the point they believed they could continue with the Windows+Office and took the winds out of the sails for many open source projects.
Now all their data is in the Microsoft and Google clouds, good luck getting it out.
Re: (Score:2)
Indeed. Complete strategic failure.
Re: (Score:2)
Indeed. Complete strategic failure.
Strategy? I think tactics are all that such entities rely on. Strategy seems entirely beyond them.
Re: (Score:2)
Quite possibly, yes.
Re: (Score:2)
They switched back to Windows in slightly questionable circumstances. [wikipedia.org]
I like this bit in the Wikipedia article:
Reiter denied that he had initiated the reversal in gratitude for Microsoft moving its German headquarters from Unterschleißheim back to Munich.
That seems to make it pretty clear whatt happened there.
Re: (Score:2)
it also had technical problems, the distro and openoffice was frozen, so after some years, you had much better software and fixes on recent distros and libreoffice, but they could not upgrade and had to backport fixes or workaround those. It was a good first attempt, but just like many other migrations, some initial decisions returned to bite then later on and when managing thousands of machines, they didn't want to have multiple versions. Sadly they could have solved many of that by using ansible instead o
Re: (Score:1)
That was just one example, Office Open XML vs Open Office XML was the regulatory failure. The EU demanded open formats and then collaborated with Microsoft on writing the law which today is still not sufficiently open. At every point the EU regulated Microsoft back into EU government business and shaped a monopoly around Microsoft. Now they’re complaining that they’re all stuck in the cloud, well, we told you back in the day when it was still Micro$oft and Bill Gates depicted as the borg.
Re: (Score:2)
Microsoft fine EU? (Score:2)
Does this mean that Microsoft gets to fine the EU a few billion dollars?
I mean, turnabout is fair play isn't it? Where is the big penalty when the EU violates its own rules?
use FOSS (Score:2)
I have a simple solution: EU administration can run its own cloud with Collabora Office/Only Office/NextOffice/NextCloud and LibreOffice/Linux on their desktops. Intentionally I mentioned Collabora, since that company can provide support and data safety.
Re: (Score:2)
Taking the bait...
> It's entirely possible to use M365 *and* be compliant.
Actually it is not. Schrems 2:
https://www.gdprsummary.com/sc... [gdprsummary.com]
It is illegal to provide personal information to entities falling under US legislation, which is every US company. Cloud based Office365 becomes illegal to use. The fact that it isn't enforced is a different matter.
Re: (Score:1)
Taking the bait...
> It's entirely possible to use M365 *and* be compliant.
Actually it is not. Schrems 2
Actually, it is. No GDPR data is accessible by MS inside the tenant. All data is processed inside the tenant. Unless some idiot is using the US for geo-redundancy - which as mentioned has nothing to do with M365 and everything to do the tenant administration
Re: (Score:2)
So MS can't access the content of any of the documents stored in the tenant?
It doesn't matter where the data is processed, US law tries to apply everywhere on the globe to US firms. Same as the GDPR to EU citizens.
Re: (Score:1)
So MS can't access the content of any of the documents stored in the tenant?
So you are completely ignorant of how this works *but* you feel your opinion is still valid. Nice.
Re: (Score:2)
Well, it is the opinion of the people at laquadrature.net, and they keep on winning court cases. So, you know...
I'll be the first to admit I know nothing about MS cloud, which is why my first sentence is a question, which you didn't answer.
Re: (Score:1)
, which is why my first sentence is a question, which you didn't answer.
What did your last slave die of?
The answer is in prior response. You opted to ignore that and continue to fling ignorance around like it was fertilizer. No. MS can't access tenant data without jumping through a bunch of hoops.