EDPS Closes Microsoft 365 Investigation, But Legal and Political Challenges Remain

Aug 4
7 min read

The EDPS Microsoft investigation into the Commission’s use of Microsoft 365 is now closed, but the core risks remain.

Background to the EDPS Investigation into Commission's use of Microsoft 365

The European Data Protection Supervisor (EDPS) has closed its enforcement investigation into the European Commission’s use of Microsoft 365, after confirming that the Commission implemented all required measures to comply with EU data protection rules.

The EDPS’s earlier Decision of 8 March 2024 had found that the Commission’s deployment of Microsoft 365 infringed several provisions of Regulation (EU) 2018/1725, specifically in the areas of purpose limitation, international data transfers, and unauthorised disclosures of personal data. These findings led the EDPS to require the Commission to take concrete corrective steps, to order the Commission to suspend all personal data flows to Microsoft (and its affiliates/sub-processors) in countries without an EU adequacy decision if compliance could not be ensured, and to overhaul its contracts and practices by the end of 2024 to address the above issues.

After receiving a compliance report in December 2024 and further clarifications (including a 3 July 2025 letter detailing additional measures), the EDPS concluded in a 11 July 2025 letter that all the earlier infringements had been resolved.

Original Issues and Corrective Measures Implemented by the Commission

In response to the EDPS Decision, the European Commission worked with Microsoft to implement a series of technical, contractual, and organisational measures targeted at each of the problem areas. The key compliance measures taken are summarized below, based on the EDPS press release – note that full details are not publicly available:

Issue Identified by EDPS (2024)	Corrective Measures Implemented by the Commission
1. Purpose Limitation Violations
Lack of explicit specification of personal data categories and processing purposes. Microsoft was not fully bound to process data solely on the Commission’s documented instructions. No sufficient checks on further processing or its compatibility with original purposes.	Updated the Microsoft 365 contracts to explicitly define types of personal data and specific purposes of processing. Implemented updated contractual, technical, and organisational measures to bind Microsoft and sub-processors to process data solely on documented instructions and only for specified public-interest purposes. (my note: unclear what was done here more than amending the contract) Further processing is limited to within the EEA under EU or Member State law, or (if outside the EEA)under third-country law that ensures essentially equivalent protection. (my note: this is likely a contractual change)
2. International Data Transfer Risks
No clear mapping of recipients, purposes, or countries for third-country transfers. Insufficient assessment of need for additional safeguards for transfers outside EU/EEA. Potential transfers to countries without adequacy decisions not properly controlled.	Identified specific recipients and purposes for which data can be transferred. (my note: this is likely a contractual change) Limited transfers outside the EU/EEA to countries listed in the amended contract, relying only on adequacy decisions or Article 50(1)(d) derogations (important reasons of public interest). (my note: this is likely a contractual change) “The Commission and Microsoft have implemented technical and organisational changes to how Microsoft 365 services are provided to the Commission.” (my note: undisclosed what changes) Microsoft also finalised implementation of the EU Data Boundary and committed to minimising transfers by localising infrastructure and staffing. Issued strict instructions to Microsoft and sub-processors on transfer restrictions.
3. Unauthorized Disclosures of Personal Data
No guarantee that disclosures or non-notification would occur only under EU law or third-country law with equivalent protection Contractual terms lacked enforceable limitations tied to legal equivalence	The Commission added contractual terms stating that Microsoft and its sub-processors may omit notification to the Commission of disclosure requests only when required by EU or Member State law (for data processed in the EEA), or by third-country law that provides an essentially equivalent level of protection (for data processed outside the EEA). (my note: see last section below) Disclosure is permitted only where required under such laws. (my note: see last section below) “These contractual safeguards are complemented by technical and organisational measures.” (my note: undisclosed what those are. It would have been great to have a glimpse of what they encrypted and whether Microsoft does or doesn’t have access to the encryption key. This was a core aspect in the French decision in Doctolib, where all the way to the supreme court found that the data is adequately protected when the cloud provider does not have access to the encryption key, since data cannot be read by third parties)

EDPS Confirms Compliance and Closes the Investigation, but Court Cases Remain

After the Commission reported these changes and provided evidence of compliance, the EDPS verified that the issues from the 2024 Decision were resolved. The EDPS stated that it engaged in months of monitoring and dialogue – including reviewing the Commission’s December 2024 compliance report and obtaining clarifications into mid-2025 – to ensure the new measures were sufficient. In a letter dated 11 July 2025, EDPS Supervisor Wojciech Wiewiórowski formally concluded that “the infringements identified in the EDPS’ 2024 Decision have been remedied”.

The EDPS found that the factual situation had “substantially changed” compared to the time of the original decision, thanks to the corrective actions taken. Consequently, the EDPS declared the Commission to be in compliance with the EU’s institutional data protection rules regarding Microsoft 365 and closed the enforcement proceedings. The EDPS emphasised the collaborative effort and expressed appreciation for Microsoft’s cooperation in aligning with the Commission’s requirements.

However, the EDPS also reiterated that this finding was limited to the specific issues addressed in the enforcement decision. Other aspects of the Commission’s use of Microsoft 365 were not evaluated and remain outside the scope of the closure.

It’s also worth noting that both Microsoft and the Commission have challenged the original EDPS decision before the General Court of the EU:

Case T-262/24: The European Commission claimed errors of law, overreach in interpreting Regulation 2018/1725, and disproportionality of the imposed corrective measures.
Case T-265/24: Microsoft Ireland Operations Ltd has also seeked annulment of the decision and argues that the EDPS acted without sufficient factual grounding.

At the time of writing both cases remain pending, and the closure of the investigation does not have any automatic consequence. The Commission or Microsoft may choose to withdraw their actions, but this remains to be seen.

Changes in the Microsoft Data Processing Terms

As the lead purchaser in an inter-institutional licensing agreement (ILA) with Microsoft, the Commission has extended the same improved contract terms and data protection safeguards to other EU institutions and bodies that are part of the collective Microsoft 365 contract. This means that any EU institution subscribing to Microsoft 365 under the ILA can benefit from the Commission’s negotiated enhancements.

Microsoft updated its public data processing terms in February 2025, and several of the Commission’s fixes are reflected in the public DPA, such as instruction-based processing, reliance on SCCs, transparency around subprocessors, and commitments on confidentiality and incident handling. However, these are broad, baseline safeguards. The contractual precision, legal tailoring, and binding limitations negotiated by the Commission under the ILA, particularly around purpose limitation tied to specific (public-interest) tasks, mapped transfer destinations with per-transfer legal grounds, and foreign disclosure clauses conditional on legal equivalence, are not included in Microsoft’s standard commercial terms. These remain exclusive to EU institutions under the ILA framework and are not available to private-sector customers at least for now.

So Were The Transfer Issues Really Solved?

During a hearing before the French Senate’s Law Committee in June 2025, Microsoft’s French public sector leaders, including Anton Carniaux (Director of Public and Legal Affairs) and Pierre Lagarde (Technical Director), were questioned about risks related to foreign access to data processed for French public authorities via contracts with UGAP (France’s State Purchasing Agency).

Carniaux acknowledged that while Microsoft has internal procedures to challenge or redirect unjustified data access requests, he could not guarantee that data held by Microsoft in Europe would never be disclosed to U.S. authorities under the Cloud Act. He explained that such requests are scrutinised and often contested, but a binding order from a U.S. court could prevail.

He added that Microsoft has seen jurisprudential evolution since the Obama administration, with U.S. requests now needing to be narrowly tailored and justified, but the extraterritorial reach of the Cloud Act remains a reality. This acknowledgement underscores that even with the strongest contractual protections and even with the data never being physically sent to the U.S., legal exposure persists for data processed by U.S.-owned providers on behalf of EU public entities.

The EDPS Decision and corrective measures do not explicitly reference or cite the U.S. Cloud Act, nor do they even refer to the risk of foreign government access. The focus was framed more generally around third-country laws and the requirement that any such laws must provide an essentially equivalent level of protection, and that disclosure or non-notification must be limited to what EU or EEA law permits.

The Commission did secure a contractual obligation to this effect, but let’s say the quiet part out loud: contracts cannot override the application of binding legislation. They may define access procedures or reinforce due process guarantees, but they cannot insulate data from laws like the Cloud Act that apply extraterritorially.

The Cloud Act remains enforceable against U.S.-based providers and can, in principle, compel Microsoft to disclose data held by its subsidiaries in Europe, regardless of what the contract says or who the client is. While Microsoft can challenge such orders under the Cloud Act’s comity provisions, that process is discretionary and does not preclude enforcement.

From this perspective, the assertion that the Commission has “ensured lawfulness” through contractual transfer restrictions alone is, at best, optimistic, and at worst, incompatible with the legal realities at play. That said, one could also read the EDPS position as a pragmatic regulatory move: short of declaring that no EU institution (or entity, really) can lawfully use a U.S.-based provider, their only option was to accept strengthened safeguards and binding commitments as sufficient, despite the ever-unresolved issue known since at least Schrems I: that no contractual safeguard can neutralize the extraterritorial reach of U.S. surveillance law, a political and legal impasse that EU regulators have no authority to resolve on their own.