Two weeks ago, the European Data Protection Supervisor dropped a bombshell in the data transfer world. In short, the EDPS issued two orders against the European Commission:
- Effective 9 Dec., the Commission must suspend all data flows resulting from its use of Microsoft 365 to Microsoft and to its affiliates and sub-processors located in countries outside the EU/EEA not covered by an adequacy decision.
- By 9 Dec., the Commission must bring its processing operations into compliance through corrective measures imposed by the EDPS.
The EDPS published the 180-page full decision, which imposes a long list of corrective measures on the Commission. This includes the fact that Microsoft must ensure — through contractual arrangements, organizational and technical measures — that for personal data processed outside the European Economic Area: any prohibition of notification to the Commission of a request for disclosure constitutes a necessary and proportionate measure in a democratic society; and no disclosures of personal data by Microsoft or its sub-processors is to take place unless the disclosure is required by third-country law that ensures a level of protection essentially equivalent to that in the EEA.
The EDPS defined these "appropriate, necessary and proportionate" corrective measures based on several criteria: the seriousness and duration of the infringements found, their impact on a large number of individuals, the need to protect the Commission’s ability to carry out tasks, and the need to allow appropriate time for the Commission to implement the foreseen suspension of relevant data flows.
In a recent post, University of Grenoble Alpes law professor Theodore Christakis highlighted some points of interest found in the EDPS decision, including the interplay between transparency and secrecy, as the EDPS is questioning — due to the secrecy requirements enshrined in the U.S. legal environment — Microsoft's assurances denying any provision of the EU public sector customer data to any government. Christakis also noted the reciprocity between proportionality and cybersecurity in the disagreement between the EDPS on the one side and the Commission and Microsoft on the other concerning the safety of using on-premise software versus cloud-based services.
These two points alone reflect yet again that the ever-so present concept of digital sovereignty is still very intertwined with expectations of a zero-risk approach to trans-Atlantic data transfers. The EDPS decision only applies to the Commission — and by extension to EU institutions and agencies. But the signals it sends go well beyond the EU apparatus.
Elsewhere:
- The European Commission launched investigations into Alphabet, Meta and Apple for potential breaches of the EU Digital Markets Act. The issues being investigated touch on some of the DMA's core and most challenging provisions. For instance, the Commission is investigating whether Alphabet and Apple are breaching Article 5(4) by not allowing apps to freely communicate with users and make contracts with them. User choice obligations are also being investigated to determine whether Apple is giving users enough choice regarding, among other things, being able to select an alternative default service. The Commission is also looking at whether Meta's pay-or-consent model is, in fact, providing a real alternative in case users do not consent. Finally, Google is being investigated to determine whether it gives preference to its own goods and services in search results. The Commission aims to conclude the investigations this time next year.
- The European Commission is populating its webpage "Find your Digital Services Coordinator" as member states were due to appoint their DSC by 17 Feb. A few missed the deadline but the list as it stands covers more than half of member states. It also illustrates the diversity of regulators tasked with enforcing this new package of rules — whether they lead on competition, media or communications.
- The European Union Agency for Cybersecurity released its "Foresight Cybersecurity Threats for 2030" report and skills shortage ranks second in the top 10 threats. The rise of digital surveillance and loss of privacy ranks fifth, though it declined slightly in both impact and likelihood over the past year. Threats related to software dependencies and "advanced disinformation/influence" campaigns remain significant, while long-term threat perspectives like skill shortage and service providers as a single point of failure intensify, and AI-related threats gain likelihood.