We use cookies to collect and analyse information on site performance and usage to improve and customise your experience, where applicable. View our Cookies Policy. Click Accept and continue to use our website or Manage to review and update your preferences.

EU body’s data-deal decision highlighted
(Pic: Shutterstock)

15 Apr 2024 / data law Print

EU body’s data-deal decision highlighted

Lawyers at McCann FitzGerald say that a recent decision by a European body on data protection could have significant implications for many organisations.

The European Data Protection Supervisor (EDPS) found that a contract between the European Commission and Microsoft on the use of the tech giant’s Microsoft 365 system did not contain enough detail to be compliant with EU rules.

In a note on the firm’s website, the McCann FitzGerald lawyers point out that the EDPS’s role cover EU institutions only, and that its decision related to Regulation (EU) 2018/1725, which also applies specifically to EU bodies.


They add, however, that if other EU data-protection bodies adopt a similar approach, “then many organisations are likely to find that their own GDPR compliance measures – and particularly contractual arrangements between controllers and processors – do not meet the demanding standards envisaged by the EDPS”.

The McCann FitzGerald analysis also stresses that aspects of the EU rules covered by the decision “substantially replicate” provisions of the GDPR.

The EDPS decided that the arrangements between the commission and Microsoft did not contain enough detail on:

  • The types of personal data being processed,
  • The specific purposes for which each type of personal data was processed, and
  • The commission’s instructions regarding Microsoft’s processing.

The data-protection body cited GDPR guidelines that the type of personal data being processed under a contract “should be specified in the most detailed manner as possible”.

The McCann FitzGerald lawyers say that many organisations do not routinely go into the level of detail the EDPS determined ought to have been present in this case.

AI risks

They add that the EDPS, in its decision, also highlighted “potentially high risks” to data subjects from Microsoft’s use of AI.

The EU body also rejected arguments from Microsoft that describing data-processing services in “overly granular” detail would impose “unreasonable burdens” on the parties to a contract.

“The practical challenges involved in any organisation seeking to ensure that its data processing agreements contain the level of detail the EDPS considers to be required are obvious,” the McCann FitzGerald note concludes, adding that the commission had two months, from 8 March, to appeal the decision.

Gazette Desk
Gazette.ie is the daily legal news site of the Law Society of Ireland