Microsoft, the American technology giant, is confronting a formal complaint within the European Union. The allegation centres on the company's role in storing data used by the Israeli military for surveillance of Palestinians, potentially breaching strict EU privacy laws.
Details of the Complaint and Regulatory Action
The complaint was filed by a non-profit organisation named Eko, which advocates for "people and planet over profits." It accuses Microsoft of unlawfully processing personal data belonging to Palestinians and EU citizens. According to Eko, this processing enabled "surveillance, targeting, and occupation by the Israeli military."
On Thursday, the Irish Data Protection Commission (DPC) confirmed it had received the complaint and stated the matter was "currently under assessment." The DPC acts as the EU's lead data regulator for Microsoft because the company's European headquarters are based in Ireland.
The Guardian Report and Microsoft's Response
This legal action follows an investigative report by the British newspaper, The Guardian. The report revealed that the Israeli Defense Forces utilised Microsoft's cloud service, Azure, to store data files from phone calls. This data was reportedly obtained through broad or mass surveillance of civilians in Gaza and the West Bank.
In response to the report, Microsoft initiated its own investigation. Subsequently, in September, the company cut the Israeli army's access to certain cloud services. However, Eko claims that "new evidence shared by Microsoft whistleblowers" indicates the company quickly offloaded large amounts of the surveillance data after The Guardian's investigation became public.
A Microsoft spokesperson addressed the situation, stating, "Our customers own their data and the actions taken by this customer to transfer their data in August was their choice." The spokesperson added that these actions did not impede the company's internal investigation.
GDPR Implications and Potential Consequences
The case has significant implications under the EU's General Data Protection Regulation (GDPR). According to The Guardian, the data in question was stored on Microsoft's servers located in Ireland and the Netherlands. This physical location places the data squarely under the jurisdiction of the GDPR, which came into force in 2018 to protect European consumers from data misuse.
A confirmed violation of GDPR can result in substantial penalties, including fines of up to 4% of a company's global annual revenue. For a corporation of Microsoft's scale, this represents a potentially massive financial risk, alongside significant reputational damage.
The Irish DPC's assessment will now determine whether Microsoft's data processing activities complied with the law. The outcome is being closely watched as a test case for the application of EU data protection rules to global tech firms involved in complex international conflicts.
