The European Data Protection Supervisor found that the European Commission failed to comply with data protection rules when using Microsoft 365, raising fresh questions about how Microsoft handles personal information across its product ecosystem. The March 2024 decision focused on purpose limitation, international transfers, and unauthorized disclosures tied to the software suite. While the ruling targets an institutional user rather than individual Windows consumers, the compliance gaps it exposed feed directly into a broader debate, whether Microsoft’s telemetry systems, including those built into Windows, collect and move data in ways that users never meaningfully agreed to.
What the EDPS Ruling Actually Found
The European Data Protection Supervisor published its investigation into the European Commission’s use of Microsoft 365 in March 2024, concluding that the Commission had not put adequate safeguards in place to control how personal data processed through the cloud suite was used, where it was sent, or who could access it. According to the official decision, three specific compliance failures stood out: the Commission did not enforce proper purpose limitation on data collection, it allowed international transfers without sufficient legal protections, and it failed to prevent unauthorized disclosures of personal information. The ruling applied the institutional GDPR regime, which governs EU institutions rather than private companies or individual member states, and ordered the Commission to bring its Microsoft 365 deployment into compliance.
This institutional focus matters because the EDPS did not audit Windows operating system telemetry or consumer-facing data collection practices. Its jurisdiction in this case covers how an EU body processes personal data when using a powerful third-party platform, not how Microsoft designs and ships its consumer products. Yet the decision carries weight well beyond the Commission’s offices in Brussels. It signals that a major European regulator found Microsoft’s enterprise cloud tools were being used in ways that violated core data protection principles, despite contractual safeguards and policy documents. If the Commission itself, with its legal resources and institutional expertise, could not ensure compliant use of Microsoft 365, the question of whether ordinary users can meaningfully control what Windows sends back to Microsoft becomes harder to dismiss.
Windows Telemetry and the Consent Gap
Windows 10 and Windows 11 ship with built-in diagnostic telemetry that collects information about system performance, application crashes, device configuration, and usage patterns. Microsoft organizes this collection into tiers, from “required” diagnostics that the company says are necessary for security and updates, to more expansive options that capture browsing behavior, app activity, and detailed device health data. Users can adjust these settings through system menus, but the default configuration sends a significant volume of information to Microsoft, and the opt-out process is neither straightforward nor complete. Even at the lowest telemetry setting, some data still flows back to Microsoft servers as a condition of receiving updates and security fixes.
The EDPS decision did not examine these Windows-specific mechanisms, but the compliance failures it identified in Microsoft 365 map closely onto concerns long raised by privacy advocates about operating system telemetry. When the EDPS found that Microsoft 365 data was being transferred internationally without proper safeguards and that purposes were not tightly defined, it highlighted a structural problem: Microsoft’s cloud infrastructure routes data through servers in multiple jurisdictions, and the legal protections governing those transfers have been under sustained challenge since the Court of Justice of the European Union struck down the EU-U.S. Privacy Shield framework. Windows telemetry data follows similar pathways. Public-facing privacy documentation describes broad categories of information that may be collected, yet it does not give users a line-by-line account of which data points travel where, for how long, and under what legal basis, leaving a gap between the consent users think they are giving and the processing that actually occurs.
Purpose Limitation as the Central Problem
Purpose limitation is a foundational GDPR principle: personal data must be collected for specific, explicit, and legitimate purposes, and it cannot then be processed in ways that are incompatible with those purposes. In its Microsoft 365 investigation, the EDPS concluded that the European Commission’s deployment failed this test because data collected through the suite was being processed beyond the boundaries that users and administrators could reasonably infer from the available information. This finding echoes a long-standing criticism of Windows telemetry. Microsoft states that diagnostic data improves product reliability, performance, and security, but the breadth of information collected, and the opacity of how it is later analyzed, aggregated, or shared, makes it difficult for outsiders to verify whether those stated purposes are the only ones being served.
The gap between declared aims and practical data flows is where accusations of “spying” gain rhetorical force. Microsoft has consistently rejected that framing, pointing to configuration options, enterprise controls, and privacy dashboards as evidence that users retain meaningful agency. However, documentation alone does not satisfy purpose limitation if the underlying processing is more extensive than what a reasonable person would expect from those materials. Through its public communications, including posts on its official social channel, the EDPS has emphasized that large technology providers must narrow their collection to what is strictly necessary and ensure that customers can understand and influence how their data is used. For Windows users, this signals that the legal standards European regulators are now applying to enterprise cloud deployments could eventually be brought to bear on consumer operating systems, particularly if complaints or future investigations focus directly on telemetry.
International Transfers and Post-Schrems Pressure
One of the three compliance failures highlighted by the EDPS involved international data transfers, specifically the movement of personal data from EU institutions to servers outside the European Economic Area without adequate legal protections. This issue has been at the center of regulatory scrutiny since the Schrems II ruling invalidated the EU–U.S. Privacy Shield in 2020, forcing organizations to reassess the mechanisms they use to justify sending data to the United States. Microsoft relies heavily on standard contractual clauses and a set of supplementary technical and organizational measures to support its cross-border transfers, but regulators have repeatedly questioned whether those tools can fully compensate for the level of access that foreign intelligence services may have under non-EU law. The European Data Protection Board has issued guidance stressing that data exporters must evaluate the actual risk environment in destination countries instead of treating contractual language as a formality.
Windows telemetry is subject to the same transfer dynamics because diagnostic data generated on a device in, for example, Germany or France may be routed to or stored on servers in the United States or other non-EU jurisdictions. Microsoft’s general privacy statement acknowledges that customer information is processed in multiple countries, but it does not give individual users granular control over where their telemetry data is stored or which data centers handle which categories of information. The EDPS decision against the Commission did not create new legal obligations, yet it did establish a concrete enforcement precedent: relying on a major vendor’s default settings and contractual terms, without independently verifying that international transfers satisfy GDPR standards, can itself amount to a violation. For consumers, the practical implication is that the robustness of the legal framework surrounding their Windows telemetry data depends largely on Microsoft’s internal assessments and safeguards, which remain difficult for outsiders to audit or challenge.
What This Means for Everyday Windows Users
For everyday Windows users, the EDPS ruling does not immediately change how their computers behave. Telemetry settings, update mechanisms, and cloud connectivity features continue to operate as designed, and the decision is formally directed at the European Commission rather than at Microsoft’s consumer business. Nonetheless, the investigation exposes structural weaknesses that are highly relevant to anyone whose data travels through Microsoft’s infrastructure. It shows that even a sophisticated institutional customer, operating under a tailored contract and with dedicated compliance staff, struggled to ensure that data collection was limited to specific purposes and that international transfers were fully justified. If such an institution can fall short, individual users with limited technical knowledge and no ability to negotiate terms are in an even weaker position to understand, let alone control, how their personal information is processed.
In practical terms, users who are concerned about privacy can take steps to reduce the amount of data Windows sends to Microsoft, such as choosing the lowest available diagnostic level, disabling optional cloud features they do not need, and periodically reviewing account-level settings. These measures, however, operate within boundaries set by Microsoft and do not eliminate “required” telemetry or alter the jurisdictional realities of global cloud infrastructure. The EDPS decision suggests that meaningful change is more likely to come from regulatory pressure than from individual configuration tweaks. As EU bodies refine their expectations for purpose limitation and international transfers in the context of large vendors, Microsoft may be compelled to redesign aspects of its telemetry systems, offer clearer disclosures, or provide stronger technical controls to institutional and consumer customers alike. Until then, the tension between convenience, security updates, and strict data protection principles will remain an unresolved feature of the Windows ecosystem rather than a problem that individual users can solve on their own.
More from Morning Overview
*This article was researched with the help of AI, with human editors creating the final content.
