The European Commission has been found to have violated key data protection rules in its use of Microsoft 365, according to a European privacy watchdog. The European Data Protection Supervisor (EDPS) criticized the EC for not taking proper protective measures when transferring personal data outside the EU and European Economic Area (EEA) using the cloud-based app. The EC also failed to specify in its contract with Microsoft the types of personal data collected and for what purposes. This three-year investigation’s findings suggest that even trusted government entities do not necessarily keep the data they collect safe. The EDPS has ordered the commission to suspend all data flows resulting from its use of Microsoft 365 to Microsoft, its affiliates, and sub-processors located in countries outside the EU/EEA that don’t have an adequacy agreement with the EC. The EC has until December 9 to demonstrate compliance with data protection regulations. The European Union has data adequacy agreements with 16 countries to ensure that personal data is protected under EU laws even when transferred to countries with different data privacy laws. The watchdog is giving the commission appropriate time to comply with the suspension without compromising its ability to carry out its tasks. For more information, you can visit www.computerworld.com.