The European Commission's use of Microsoft 365 has been under scrutiny since March, when it was discovered that the bloc's data protection rules had been broken. The European Data Protection Supervisor (EDPS) ordered the Commission to suspend any infringing data flows and rectify its contracts with Microsoft. However, the situation has been shrouded in uncertainty, with little updates provided since the initial finding.

On Monday, the deadline for the Commission's response to the EDPS' order passed, and on Tuesday, EDPS Wojciech Wiewiórowski confirmed receipt of the report. Wiewiórowski stated that the EDPS is currently reviewing the report to determine whether the Commission has complied with the March order. The review process is expected to be lengthy, with Wiewiórowski noting that the analysis will require "careful consideration" and will be conducted "thoroughly within an appropriate timeframe."

The Commission and Microsoft are also challenging the EDPS decision, which has led to a sense of uncertainty surrounding the outcome of the investigation. The challenges have been filed under cases T-262/24 and T-265/24, respectively. Despite the ongoing legal battles, 2025 is shaping up to be a pivotal year for the issue, with potential implications for the use of cloud computing services across the European Union.

The EDPS' investigation highlights the importance of data protection in the digital age. The use of cloud computing services, such as Microsoft 365, has become ubiquitous across industries, but it also raises concerns about data sovereignty and security. The European Commission's breach of data protection rules serves as a stark reminder of the need for vigilance and accountability in the handling of sensitive information.

The outcome of the investigation will have significant implications for the European Union's data protection landscape. If the Commission is found to be non-compliant, it could lead to a suspension of data flows, which would have far-reaching consequences for businesses and organizations relying on Microsoft 365. Moreover, the investigation's findings could influence the development of data protection regulations across the EU, potentially leading to more stringent rules and greater oversight.

As the EDPS continues its review of the Commission's report, the tech industry will be watching closely for updates on this critical issue. The investigation's outcome will have significant implications for the use of cloud computing services, data protection, and the future of digital governance in the European Union.