European Commission’s use of Microsoft 365 found in violation of EU data protection law 

The European Data Protection Supervisor (EDPS) has found that the European Commission’s use of Microsoft 365 breaches numerous sections of EU Regulation 2018/1725, which serves as the data protection law for EU institutions and agencies. Namely, the Commission’s failure to implement sufficient measures to guarantee that the personal data sent outside the European Economic Area (EEA) was equally protected in other regions. Additionally, the contract between the Commission and Microsoft lacked clear details on the types of personal data collected and the specific purposes for which it is used within Microsoft 365. The Commission’s violations also extend to its role as a data controller, including issues related to data processing and the transfer of personal data conducted on its behalf. Consequently, the EDPS has mandated the European Commission to cease all personal data transfers to Microsoft and its associated entities in non-EU/EEA countries that lack an adequacy decision by December 9, 2024. 

Maintaining rigorous data protection measures, particularly when employing cloud-based solutions, is crucial to upholding the high privacy safeguards enshrined in EU law. This decision also serves as a reminder of the ongoing challenges faced by global technology services in meeting the diverse regulatory requirements of different jurisdictions, particularly those as stringent as the European Union’s. 

Organisations are advised to conduct thorough data protection assessments, strengthen contractual agreements with cloud service providers, and implement stringent data safeguards, particularly for international data transfers. Regular compliance audits, data minimisation, purposeful data processing, employee training, and the development of a robust data breach response plan are also crucial.  

ICO finds the Home Office’s pilot of electronic tagging of migrants breached UK data protection law 

The UK’s Information Commissioner’s Office (ICO) has issued an enforcement notice against the Home Office, and a formal warning relating to inadequate privacy risk assessments of the electronic monitoring of migrants arriving via unauthorised routes. The Home Office’s pilot programme, which involved placing ankle tags on up to 600 migrants to track their movements, has been under scrutiny since August 2022 after Privacy International raised concerns.  

The ICO’s investigation revealed that the Home Office failed to fully evaluate the privacy implications of continuously collecting location data, particularly considering the potential vulnerability of the individuals due to their immigration status.  

The Home Office’s lack of clear communication about the use of collected data, its purpose, retention period, and sharing protocols was also highlighted as a significant shortfall. The ICO criticised the Home Office for not considering less intrusive alternatives and for failing to provide staff with adequate guidance on when and how electronic monitoring should be applied as a condition of immigration bail. 

Despite the pilot ending in December 2023, concerns remain as the Home Office retains access to the collected data, posing ongoing risks of misuse. The ICO’s enforcement notice demands policy updates and improved privacy information for those affected, while the warning underscores the legal implications of future non-compliant electronic monitoring practices. This action by the ICO serves as a caution to all organisations about the necessity of rigorous privacy assessments and transparent data handling practices, especially when dealing with vulnerable individuals. 

Belgium’s DPA issues data protection guidance for elections 

Ahead of the upcoming June elections in Belgium, the country’s Data Protection Authority (APD) has released new guidelines on targeted political advertising, emphasising the need for compliance with existing privacy legislation, including the GDPR. The APD’s latest publication offers detailed insights on the lawful handling of personal data for electoral communications, whether through postal or electronic channels, and updates its online “elections” section with this information. 

Highlighting the critical role of voter communication in democratic processes, the APD clarifies that personalised electoral messaging is permissible, provided it complies with GDPR principles. This includes the principle of purpose, where data must be collected for explicit electoral use and not repurposed from unrelated activities, such as professional client lists. The guidance also touches on the principle of permissibility, outlining the legal bases for processing personal data in election campaigns, including consent and legitimate interest. 

Moreover, the APD addresses the increasing shift towards digital election campaigns, noting the potential intrusiveness of electronic messages and the likely necessity of consent for such communications. The guidelines also caution against the use of advanced data analysis and microtargeting techniques, warning of their implications for data transparency and fairness. 

Additionally, the APD reiterates the rights of individuals receiving electoral advertisements, including the rights to information, access, rectification, and objection. These provisions ensure that voters are fully informed about who is contacting them, the purpose of the contact, the origin of the data being used, and their rights concerning this data, including the ability to refuse future electoral advertising. 

Commercial organisations, though distinct from political entities, can draw valuable lessons from the Belgian DPA’s guidance on electoral communications. It is crucial for businesses to manage consent effectively, especially for direct marketing, uphold data minimisation and accuracy, respect individual data rights, and cautiously employ advanced data analysis technology.  

As a global BCorp organisation, HewardMills is ready to partner and support your organisation’s needs to safeguard personal data and tackle challenging ever-evolving global data protection regulatory requirements. Contact our team if you want to discuss any of the topics or regulatory updates discussed. 

If you would like to discuss this topic or anything else data protection and privacy-related, please contact us at