European Data Protection Supervisor (EDPS)`s recent investigation into the European Commission's use of Microsoft 365, carries profound implications for data protection and compliance across the EU. This scrutiny, is rooted in the provisions of Regulation (EU) 2018/1725 so called ``EUDPR``. The EDPS initiated this investigation following concerns regarding the Commission's adherence to data protection regulations in its use of Microsoft 365, under the Inter-institutional Licensing Agreement signed on May 7, 2021.

This investigation aimed to assess whether the Commission's deployment of Microsoft 365 complied with the EUDPR, including any data processing conducted on its behalf. Despite the fact that the complaint is related to EUDPR, it has also implications for the GDPR since it provides clarity regarding the purpose limitation principle as well as requirements related to the data processor agreements in the use of Microsoft 365 services in the EU data protection law in general,

This blogpost delves into the first aspect of the investigation: the data categories should be specifically defined within data processor agreements to comply with the purpose limitation principle.

Data categories shall be specifically defined.

One of the element of any data controller-processor agreement is the identification of specific data categories to be processed in the context of the agreement. This requirement is not merely bureaucratic but serves to comply with the purpose limitation principle. It mandates that data be collected for specified, explicit, and legitimate purposes and not further processed in a manner incompatible with those purposes. Hence, specifying data categories in the agreement is not just about compliance but about being a ``controller`, which means at least know what kind of data is processed.

Broad categories and insufficient specificity

The decision highlights a significant shortcoming in the agreement between Microsoft and the EU Commission. The data categories provided were too broad, encompassing 'service generated data' and 'diagnostic data.' While examples were given, such as events occurring in the cloud that could include a wide range of information, these examples fell short of covering the full spectrum of data processing activities. This lack of specificity raises concerns about respect for the purpose limitation principle,

Should disclosing the full scope of personal data in the data processor agreement be against the intellectual property right or creating the security risk?: Not a blanket cheque, sorry. Respect necessity and proportionality when interfering with right to personal data.

Microsoft and the EU Commission argued that disclosing the full range of personal data categories could potentially infringe on intellectual property rights, and it might pose security risks by offering a roadmap for malicious actors. These concerns highlight the tension between protecting personal data and safeguarding other rights and interests, such as intellectual property and security.

EDPS carefully decided in on this debate, considering the lack of specific data category identification in the data processing agreement as an interference with the right to data protection. This perspective emphasizes data protection as a fundamental right, suggesting that any interference must be critically examined even in the case of limited inclusion of data categories in the data processor agreements.

If the intellectual property and security interests were at stake, the EDPS expected the Commission to obtain an explanation from Microsoft on why a non-disclosure agreement between the Commission and Microsoft can mitigate the risks arising from intellectual property rights and security risks considering the Commission's role as a major and reliable public institution. Even if the necessity for limiting data category identification could be justified, the EDPS posited that the proportionality requirement cannot be met at without minimizing the scope of service-generated data. However, the Commission is not fully aware of the data categories processed within the broad scope of service-generated data. So, it was not possible.

Key takeaways:

1- Simply making reference to general data categories or providing a few examples from these categories is insufficient to adhere to the principle of purpose limitation in data processing agreements.

2- Data processors and controllers are not exempt from the responsibility of defining categories of personal data by claiming intellectual property rights or security risks. This defence is possible as long as it is strictly necessary for this objective.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.