Complaint filed against Microsoft Ireland alleging it facilitated mass processing of ‘illegal’ surveillance data on Palestinians
Irish human rights campaigners have sent internal Microsoft files on dealings with Israel’s military to regulators in a complaint alleging the company’s Irish business facilitated the mass processing of “illegal” surveillance data on Palestinians. The complaint by the Irish Council for Civil Liberties (ICCL) was made to the Data Protection Commission (DPC) in Dublin, the body responsible for enforcing EU data protection law on Big Tech groups such as Microsoft which have their European headquarters in Ireland. In its DPC submissions, the council said it had a mandate to make the complaint on behalf of Palestinian residents of Gaza and the West Bank and EU “citizens/residents” who have frequent communications with people in the Occupied Territories. “Microsoft’s technology has put millions of Palestinians in danger,” said ICCL executive director Joe O’Brien, a former Green TD.READ MOREIreland will not take part in next Eurovision Song Contest due to Israel’s inclusionDrones spotted near Zelenskiy’s flight path to Dublin, triggering major security alertOnlyFans creators earning up to €200,000 ‘fear for personal safety’ if named on tax defaulters’ listThyme restaurant review: Is this the best Sunday lunch in Ireland?The complaint alleges grave violations of European privacy law, saying Microsoft processing facilitated the killing of civilians in Gaza by Israel. Such processing “continues to enable mass surveillance of individuals in the entire occupied Palestinian territory” and the illegal occupation of lands, it adds. Documents submitted to the DPC include internal screengrabs from Microsoft systems, provided by whistleblowers, that purport to show how the company helped Israeli officials organise the bulk transfer of huge surveillance files from European servers to Israel in August. Microsoft’s alleged assistance to the Israeli ministry of defence (IMOD) included a big increase to storage quotas that govern how much data could be sent to and from storage accounts at any one time. The transfer is alleged to have started one day after an August 6th report in the Guardian set out how Israel’s ministry of defence used Microsoft’s cloud storage service Azure to host vast surveillance records on Palestinian phone calls, text messages and voicemails using Irish and Dutch data centres. The screengrabs were from “a Microsoft system about processing for which Microsoft Ireland is responsible”, the ICCL said. [ Microsoft Ireland has cut 250 jobs since last summerOpens in new window ]According to the complaint, Microsoft whistleblowers are available to speak with the DPC “to answer any questions related to the documents” and “provide insights” into company operations.“These are not abstract data-protection failures – they are violations that have enabled real-world violence,” Mr O’Brien said. “When EU infrastructure is used to enable surveillance and targeting, the Irish Data Protection Commission must step in – and it must use its full powers to hold Microsoft to account.”The ICCL claimed Microsoft facilitated the capabilities of the Israeli defence ministry “to mass remove storage of surveillance data out of Europe to Israel, and only after that facilitation was complete did Microsoft launch an investigation” on August 15th.“In other words, Microsoft only launched an investigation into the IMOD’s usage once it had effectively hindered its own capabilities to investigate, and once they ensured that European governments could not seize or audit the surveillance data, effectively concealing evidence from European governments/regulators,” the ICCL said.“The IMOD would not have been able to bulk transfer this vast amount of data out of Europe to Israel without Microsoft increasing the storage quotas. In other words, Microsoft had control over whether this large amount of surveillance data could be transferred in a short period of time out of Europe to Israel. Microsoft used its control to increase IMOD’s storage quotas to facilitate the means of data processing in a transfer out of Europe.”[ Israeli minister clashes with Ireland’s envoy to Tel Aviv over Herzog Park name rowOpens in new window ]Microsoft disputed ICCL claims about the effectiveness of its own inquiries, saying its investigation “led to a decision to cease some services in September” and ultimately to the customer – which the company did not name – storing the data with another provider.“Our customers own their data and the actions taken by this customer to transfer their data in August was their choice,” Microsoft said. “These actions in no way impeded our investigation.”A DPC spokesman said: “I can confirm that the DPC has received a complaint of this nature, and it is currently under assessment.”The 25-page complaint was made under the EU’s General Data Protection Regulation (GDPR), a body of law in force since 2018 which ramped up public oversight of companies that collate online data. The ICCL wants the DPC to consider administrative fines against Microsoft at the “upper tier” of the levels allowed under the GDPR because of “the scale and gravity of the infringements” and what is described as reckless disregard for fundamental rights. The GDPR empowers regulators to impose fines up to 4 per cent of a company’s annual global turnover. In its most recent fiscal year, Microsoft reported revenues of $281.7 billion (€241.5 billion). The company is one of the largest and longest-established US multinationals in Ireland, with more than 6,000 staff. Irish subsidiaries of Microsoft paid $41 billion in dividends to the parent company in its 2024 financial year and the first months of 2025. When asked about the ICCL’s complaint, Israel’s defence ministry said, “We will not comment.”
