The complaint was filed by Eko, a non-profit group that campaigns for “people and planet over profits”
Microsoft is facing a complaint in the European Union from a non-profit organisation that alleges the company unlawfully stored personal data on Palestinians used for Israeli military surveillance.
Ireland’s Data Protection Commission (DPC) confirmed it had received the complaint against the US technology company and said it was “currently under assessment”. Because Microsoft’s European headquarters are based in Ireland, the DPC acts as the company’s lead data protection regulator in the EU.
The complaint was filed by Eko, a non-profit group that campaigns for “people and planet over profits”. It accuses Microsoft of breaching the EU’s General Data Protection Regulation (GDPR) by processing personal data belonging to Palestinians and EU citizens.
“Microsoft unlawfully processed personal data belonging to Palestinians and EU citizens, enabling surveillance, targeting, and occupation by the Israeli military,” the organisation said in a statement.
The complaint follows a report by the Guardian which found that the Israel Defense Forces had used Microsoft’s Azure cloud platform to store data files of phone calls obtained through mass surveillance of civilians in Gaza and the West Bank.
After examining the findings, Microsoft said it restricted some of the Israeli military’s access to certain cloud services in September.
Eko claims that whistleblowers have since provided new evidence suggesting Microsoft rapidly transferred large volumes of surveillance data after the Guardian investigation was published. The group alleges the data had been “illegally captured” and stored on European servers.
In a statement, a Microsoft spokesperson said customers retain control over their data. “Our customers own their data and the actions taken by this customer to transfer their data in August was their choice,” the spokesperson said. “These actions in no way impeded our investigation.”
According to the Guardian report, the data was stored on Microsoft servers in Ireland and the Netherlands, bringing it under the scope of the GDPR. Introduced in 2018, the regulation is designed to protect individuals in the EU from misuse of personal data and to strengthen oversight of how companies collect, store and process information.The DPC has not indicated a timeline for its assessment of the complaint.
