EU GDPR Complaint: Microsoft Faces Irish DPC Probe Over Israeli Surveillance on Azure

Microsoft is facing a formal regulatory complaint in the European Union after a non‑profit organisation alleged that data stored on Microsoft’s Azure cloud — including recordings and related metadata from Palestinians — was handled in a way that enabled Israeli military surveillance and was later moved from EU servers, triggering an assessment by Ireland’s data regulator.

Background / Overview​

The controversy stems from a series of investigative reports that reconstructed how an Israeli military intelligence formation allegedly used Microsoft Azure to ingest, transcribe, translate and index large volumes of intercepted mobile phone calls from Gaza and the occupied West Bank. Those reports, led by The Guardian in partnership with local outlets, described a bespoke pipeline built on commercial cloud services that produced a searchable archive of conversations and metadata — a system some internal sources described in stark terms such as “a million calls an hour.” Microsoft launched an internal and external review after the reporting. That review produced public statements acknowledging that Microsoft’s review “found evidence that supports elements” of the reporting and led the company to cease or disable specific Azure and AI subscriptions tied to an Israeli Ministry of Defence account. Microsoft said its review relied principally on control‑plane telemetry, billing and account metadata rather than broad content inspection. Separately, a complaint has now been filed with the Irish Data Protection Commission (DPC) by a non‑profit called Eko, which says it fights for “people and planet over profits.” The filing alleges that Microsoft unlawfully processed personal data belonging to Palestinians and EU citizens in a manner that enabled “surveillance, targeting, and occupation by the Israeli military.” The DPC has confirmed receipt of the complaint and told reporters it is “currently under assessment.” These developments knit together three separate but overlapping threads: the original investigative reporting that located significant datasets on Azure European regions, Microsoft’s internal review and remedial actions, and civil society allegations that the company’s operational decisions after the exposé may have impeded regulatory oversight or preserved evidence of potentially unlawful processing.

---

What the reporting and the complaint actually allege​

The investigative picture​

Investigative outlets reported that an Israeli military intelligence formation (widely associated with Unit 8200 in subsequent coverage) hosted a multi‑petabyte repository of intercepted communications on Azure regions in Europe, notably the Netherlands and Ireland. The reporting relied on a combination of leaked internal documents and testimony from current and former insiders; the most frequently cited scale figures vary across pieces and sources but are consistently described as multi‑petabyte. Journalists described operational uses of the archive — searchable transcription and analytics that could be consulted in operational planning — though the reporting also noted these operational claims are sensitive and in many cases rely on anonymous sources.

The complaint to the Irish DPC​

The complaint lodged by Eko (and reported via news agencies) alleges Microsoft breached EU data protection rules by processing Palestinians’ personal data on Azure in ways that facilitated mass surveillance and military targeting. The filing also asserts new whistleblower‑provided information showing that, immediately after the media exposé, large volumes of data were transferred off Microsoft infrastructure — a move the complainants say may have frustrated EU regulators’ ability to investigate and could amount to unlawful destruction or concealment of evidence. The DPC’s confirmation that it has the complaint and is “assessing” it brings the one‑stop‑shop powers of Ireland’s regulator to the fore given Microsoft’s EU headquarters are in Ireland.

Microsoft’s public account​

Microsoft has publicly stated that its customers own their data and that Microsoft did not itself move customer content. The company says its review found evidence supporting elements of the investigative reporting — specifically consumption of Azure storage in the Netherlands and use of AI services — and that it has taken targeted action to cease and disable specific subscriptions. Microsoft also told journalists that a customer chose to transfer data in August and that this was the customer’s action, which Microsoft said “in no way impeded our investigation.” Microsoft’s statements emphasise that the company did not access customer content when conducting its controls‑based review.

---

Technical anatomy: how cloud hosting, transfers and visibility work​

Regions, residency and customer control​

Commercial cloud platforms, including Azure, let customers choose the regions where their storage and compute resources reside — for example, North Europe (Ireland) or West Europe (Netherlands). Customers provision subscriptions, quotas and throughput and can request higher egress or transfer capacity from vendor support or account teams. These are routine operations for legitimate migrations, but they also leave audit trails in the form of support tickets, quota approvals, and control‑plane logs. Those telemetry signals — not content inspection — are often the primary means vendors have to detect anomalous or high‑volume usage patterns.

What cloud providers can and cannot see​

Cloud vendors typically have complete visibility over administrative metadata: which subscriptions exist, provisioning actions, storage capacity consumed, and network egress volumes. However, significant technical and contractual architectures reduce a provider’s direct visibility into the content itself — for example, when customers manage their own encryption keys, implement strict network isolation, or use sovereign/cloud‑contract constructs that limit provider access. In such configurations, the vendor’s ability to inspect content is constrained; detection of potentially abusive processing will therefore frequently depend on indirect signals and external reporting. Microsoft’s public explanations of its review reflect this distinction.

Moving terabytes: egress, logs and forensics​

Bulk data export from a cloud provider requires coordinated network transfers and generates logs that should be visible to both the customer and the vendor. If large volumes of data were moved out of Azure after the public reporting, as the complaint alleges, the operation should (in principle) have produced egress telemetry and support tickets; whether those logs remain accessible to EU supervisors or are retained and preserved in a way that enables independent forensic analysis is a central investigative question. Civil society groups argue that abrupt transfers can frustrate supervision and preservation of evidence; Microsoft and the customer maintain that transfers were customer‑initiated and lawful. At this stage, those claims are contested and require regulator‑level forensic verification.

---

Legal framework and regulatory levers under GDPR​

Why Ireland is the lead regulator​

Because Microsoft’s European headquarters are in Ireland, the Irish Data Protection Commission (DPC) acts as the lead supervisory authority under the GDPR’s “one‑stop‑shop” mechanism when cross‑border processing is involved. That gives the DPC responsibility for coordinating any EU‑wide enforcement action or investigation into Microsoft’s compliance, subject to potential involvement by the European Data Protection Board if cross‑border corrective measures are proposed.

Key GDPR issues likely to be examined​

• Lawfulness, fairness and transparency (Article 5): Was there a lawful legal basis for the processing of personal data at the scale and for the purposes alleged? Were data subjects properly informed where required?
• Special categories and sensitive data: Intercepted communications and metadata about individuals engaged in private communications are squarely within GDPR protections. If processing involved sensitive data or was disproportionate and non‑necessary, it could breach core GDPR principles.
• International transfers and Article 44 ff.: Transfers of personal data out of the EU require an adequacy decision or appropriate safeguards (standard contractual clauses, binding corporate rules), or fall within narrow derogations. If data were exported from EU regions to a third country without such safeguards, that may trigger violations.
• Controller/processor roles and obligations: Regulators will want to establish whether Microsoft acted as a data controller or processor (or both) for the activities at issue, and whether it met obligations around contract, technical controls, and cooperation with supervisory authorities.
• Preservation and obstruction concerns: Allegations that data was moved rapidly after media attention raise questions about whether reasonable preservation steps were taken to secure logs and evidence of potentially unlawful processing. Supervisory authorities have investigatory powers, including ordering access to records, audits and — if necessary — temporary bans on processing.

Supervisory powers and penalties​

Under the GDPR, national supervisory authorities like the DPC have broad investigative and corrective powers, including ordering corrective measures, imposing temporary or definitive bans on processing, and levying fines of up to €20 million or 4% of global annual turnover for the most serious breaches. The DPC’s current confirmation that the complaint is “under assessment” is an early procedural step that could lead to a formal investigation if the authority determines the filing warrants deeper scrutiny.

---

Corroboration, verification, and gaps in the public record​

This story brings together three types of claims — journalistic reconstruction, corporate statements about internal reviews, and activist/complainant allegations backed by alleged whistleblower material. Each requires a distinct evidentiary standard and should be treated accordingly.

• The initial investigative reporting (The Guardian and partners) provides detailed reconstruction and leaked internal documents that identify EU datacentres and describe operational uses; those reports have already prompted corporate review and public response.
• Microsoft’s public disclosures confirm that its review found evidence supporting certain elements of the reporting and that the company ceased or disabled specific services for an IMOD account; Microsoft maintains it did not access customer content during its review. That acknowledgement is one of the clearest corporate admissions to date.
• The complaint filed by Eko — and public statements attributed to it via news agencies — introduces an allegation that data was “rapidly offloaded” after publication and that whistleblowers at Microsoft provided supporting information. At present those whistleblower claims and the precise mechanics of any transfer are matters of dispute and have not been publicly verified by an independent forensic audit or by the DPC. This is an important distinction: the complaint is a legal and factual allegation that the DPC will need to test.

Where reporting relies on leaked internal documents and anonymous sources, independent forensic verification — including access to original logs, billing records, and storage metadata — is necessary to move from plausible allegation to proven regulatory breach. That is the work the DPC and any cooperating EU authorities would need to do to establish facts for enforcement.

---

Reputational, contractual and systemic risks​

For Microsoft​

• Regulatory exposure: If investigations find Microsoft failed to meet its GDPR obligations — for example, by allowing transfers that lacked adequate safeguards or failing to preserve evidence — the company could face substantial fines and corrective orders. The DPC’s role as lead authority means any enforcement would carry EU‑wide implications.
• Customer trust and commercial risk: Enterprises and public bodies rely on cloud providers for compliance and stewardship of sensitive data. Perceptions that Microsoft’s cloud can be used for large‑scale surveillance — even if via customer misuse — damage trust and raise procurement concerns across sectors.
• Operational governance scrutiny: The reporting and subsequent internal activism have already triggered procedural changes at Microsoft, such as expanding internal reporting channels for tech‑misuse concerns; the company now must demonstrate that those process changes meaningfully reduce future risk.

For governments and customers​

• Legal liability for downstream use: Customers who contract cloud services remain responsible for the lawful basis and proportionality of the data processing they carry out. State actors conducting mass surveillance expose themselves to legal risks under international law and (where relevant) partner countries’ data‑protection rules.
• Evidence preservation and accountability: Rapid transfers of data after public exposure can impede accountability. Regulators and civil society will point to any failure to preserve logs and records as an aggravating factor in enforcement.

For the cloud industry​

• Governance precedent: This episode intensifies debate over whether hyperscalers can — or should — police high‑risk government end uses. It also highlights the governance gaps that arise when cloud architecture limits provider visibility into content. Expect greater regulatory focus on pre‑contract due diligence, threat modelling, and contractual restraints for “high‑risk” public customers.

---

Practical forensic and compliance questions the DPC will likely pursue​

• Which legal entity (Microsoft Ireland or another Microsoft subsidiary) entered into contracts with the customer?
• What contractual terms governed data residency, encryption and transfer rights?
• Did any transfers or increased egress capacity occur in August/September 2025, and if so, which logs (support tickets, egress telemetry, billing records) document them?
• Were standard contractual clauses, binding corporate rules, or other appropriate safeguards relied upon for any transfers out of the EEA?
• Were steps taken to preserve forensic evidence once the allegation surfaced, and who authorised any subsequent transfers?
• Did Microsoft’s internal review follow a protocol that protected investigatory integrity while respecting customer privacy obligations?

These questions require access to system logs and contractual records that only the company, the customer and the regulator can fully provide and validate.

---

What to watch next​

• DPC procedural steps: The immediate next move is whether the DPC opens a full statutory inquiry. An assessment can lead to formal investigation, requests for information, audits of Microsoft’s operations, or dismissal if the authority deems the complaint unfounded. The timeline for DPC actions is uncertain but will likely be measured, given the complexity and potential cross‑border implications.
• Independent forensic audit: Civil society has called for an independent forensic audit of the systems and transfer logs; whether the DPC or another EU body mandates such an audit is a central question for establishing facts.
• Regulatory coordination: If the DPC opens an inquiry, other EU DPAs and the European Data Protection Board may become involved, especially if the investigation leads to corrective measures that would affect processing in multiple member states.
• Corporate disclosures and litigation: Expect further corporate statements, whistleblower claims, and potentially civil litigation or follow‑on complaints if the DPC’s assessment yields significant findings. Microsoft’s own public review and the reactions from employee groups will remain a persistent reputational vector.

---

Recommendations — for regulators, cloud customers and vendors​

• Regulators should prioritise independent forensic access to provider logs and support records to establish a clear factual baseline and preserve evidentiary integrity.
• Cloud providers must strengthen pre‑contract human‑rights due diligence for high‑risk governmental customers, include explicit audit and preservation clauses, and clarify operational visibility limits to procurement teams.
• Customers — including governments and defence organisations — should design lawful‑use governance around cloud deployments that includes transparent legal bases for processing, documented safeguards for special‑category data and robust retention/egress policies.
• Civil society and journalists should press for transparent, auditable outcomes from regulatory processes while acknowledging the difference between allegation and regulatory finding.

---

Strengths, uncertainties and risks in the public record​

The public record to date includes substantive investigative reporting, a corporate acknowledgement of evidence supporting some reporting elements, and a formal complaint triggering supervisory oversight. That triangulation gives the story significant factual weight. At the same time, important uncertainties remain. Key claims — especially those alleging that Microsoft deliberately assisted in moving data to frustrate oversight, or that specific datasets were used directly to choose civilian targets — are contested and currently rest on whistleblower testimony and leaked documents rather than on a neutral, publicly available forensic audit. Regulators will need access to raw logs and contractual records to move from plausible allegations to established violations. Where claims cannot be independently verified, they must be treated cautiously and marked as unproven until a regulator or independent audit confirms them.

---

Microsoft’s entanglement with this story is both technical and normative: at the technical level, it highlights the realities of cloud architecture, customer control, and telemetry limits; at the normative level, it raises urgent questions about corporate responsibility when powerful infrastructure can be repurposed for mass surveillance. The Irish DPC’s assessment and any subsequent investigatory steps will be decisive in translating allegation into regulatory action — and in setting industry precedent for how hyperscalers must manage high‑risk government workloads under the GDPR.
Conclusion
The complaint to Ireland’s Data Protection Commission is the next formal step in a story that combines investigative journalism, corporate review and civil society pressure. It exposes the fault lines between customer control, vendor visibility, and the demands of privacy law in a cloud‑first world. Because several factual claims remain contested and some rely on leaked materials and whistleblower accounts, the DPC’s ability to secure logs and enforce a neutral forensic audit will be the single most important determinant of whether this episode becomes a landmark GDPR enforcement action or a high‑profile cautionary tale about the limits of public verification in cloud environments.

---

Source: New National Star Microsoft under EU scrutiny over Israeli surveillance data - New National Star