In March 2024, the European Data Protection Board determined that the European Commission’s use of Microsoft 365 violated GDPR requirements. The Commission was instructed to cease transferring data from Microsoft 365 to non-EU/EEA countries without adequacy decisions by December 9th, 2024. However, in May 2024, the EU Commission filed a lawsuit against European Data Protection Supervisors (EDPS) for their directive. On July 11th, 2025, Wojciech Wiewiórowski, the EU’s data protection supervisor, informed the European Commission that the enforcement proceedings were terminated as they had addressed all of the 2024 identified privacy concerns.
The termination came after the European Commission made necessary improvements to their licensing agreement with Microsoft, ensuring adequate control over personal data processing within Microsoft 365. The establishment of an EU Data Boundary by Microsoft served as evidence that user data would remain within the EU, satisfying the requirements set forth by GDPR standards. Despite this resolution, concerns about Microsoft’s compliance with US legal demands and potential data breaches remained.
The issue highlights the challenges faced by European organizations in adopting technology solutions from American companies while adhering to strict EU privacy regulations. The settlement represents a significant shift from earlier disagreements regarding Microsoft 365’s use within government bodies, marking an important milestone in cross-border digital governance.
Key Points: European Commission and GDPR Compliance with Microsoft Products
The debate over the European Union’s Data Protection Regulation (GDPR) compliance of technology products such as Microsoft 365 has been ongoing. Initially, the EU had concerns about the handling of sensitive data by American tech giants due to differing legal frameworks between Europe and the US. The controversy stemmed from issues regarding cross-border data transfers and the necessity for ensuring that companies based outside the European Economic Area (EEA) comply with GDPR.
As the situation developed, it became apparent that regulatory bodies were seeking concrete measures to protect EU citizens’ personal information from falling into jurisdictions where privacy laws are less stringent. This scrutiny has forced Microsoft to adapt its services to meet stricter compliance requirements set forth by GDPR guidelines in Europe.
In 2025, with a focus on strengthening data sovereignty and ensuring robust protection of digital assets within the European Union, Microsoft introduced significant modifications to their service agreements and implemented the EU Data Boundary solution. These changes addressed key concerns raised during the dispute and led to the resolution between the EU Commission and regulatory bodies, allowing for continued use of Microsoft’s products under strict GDPR oversight.
Similar questions
When did the European Data Protection Board determine that the EU Commission’s use of Microsoft 365 violated GDPR requirements?
What was the deadline for ceasing data transfers from Microsoft 365 to non-EU/EEA countries without adequacy decisions?
Why did the EU Commission file a lawsuit against EDPS in May 2024?
Who informed the European Commission about the termination of enforcement proceedings on July 11, 2025?
What improvements were made by the European Commission to their licensing agreement with Microsoft regarding personal data processing?
How did Microsoft address the issue of user data remaining within the EU?
Are there still concerns about Microsoft’s compliance with US legal demands after the resolution?
Do potential data breaches remain a concern despite the settlement?
Why is this case significant for European organizations adopting American tech solutions?
What does this settlement represent in terms of cross-border digital governance between Europe and America?