DUBLIN, Ireland – On December 4, 2025, the Irish Data Protection Commission (DPC) confirmed it has received a formal complaint against Microsoft Corp., accusing the tech giant of unlawfully processing and storing personal data belonging to Palestinians and EU citizens. The allegations center on the company’s Azure cloud platform, which reportedly facilitated mass surveillance by the Israeli Defense Forces (IDF) in Gaza and the occupied West Bank, potentially enabling targeting and occupation activities. With Microsoft’s European headquarters in Dublin, the DPC acts as the lead regulatory authority for the firm under the European Union’s General Data Protection Regulation (GDPR).
The complaint, filed jointly by the UK-based non-profit Ekō and Ireland’s Irish Council for Civil Liberties (ICCL), describes the data handling as a breach of GDPR principles, including lawful processing, data minimization, and accountability. Ekō, an organization dedicated to prioritizing people and planet over profits, stated in its announcement: “Microsoft unlawfully processed personal data belonging to Palestinians and EU citizens, enabling surveillance, targeting, and occupation by the Israeli military.” The group claims the processing not only violated privacy rights but also contributed to real-world harms, including the facilitation of civilian killings in Gaza and ongoing mass surveillance across the occupied Palestinian territories.
A DPC spokesperson told reporters: “I can confirm that the DPC has received a complaint and it is currently under assessment.” Under GDPR, the commission has the authority to investigate cross-border data processing, impose fines up to 4% of a company’s global annual turnover—potentially billions for Microsoft—and order the suspension of unlawful activities. The filing urges an urgent probe, citing the “threat to life” posed by the alleged surveillance infrastructure.
This development stems from a series of investigative reports by The Guardian, in collaboration with Israeli-Palestinian outlet +972 Magazine and Hebrew-language publication Local Call, which exposed the IDF’s deep integration with U.S. tech firms during its military operations in Gaza and the West Bank. The first major revelation came in January 2025, when leaked documents from Israel’s defense ministry and Microsoft’s Israeli subsidiary detailed how Azure had become a cornerstone of IDF computing needs after October 7, 2023. The files showed a surge in cloud storage and AI usage by units like the elite signals intelligence division Unit 8200 and the tech-focused Unit 81. One internal IDF presentation highlighted Azure’s role in maintaining “Rolling Stone,” a population registry system tracking Palestinian movements, alongside support for air, ground, and naval operations.
By August 6, 2025, further reporting revealed the scale of the surveillance apparatus. Unit 8200 had leveraged Azure’s near-limitless storage capacity to build a system operational since 2022 that intercepted, stored, and analyzed millions of Palestinian mobile phone calls daily—estimated at up to a million per hour. Sources within Unit 8200 described a customized and segregated area within Azure for retaining audio files, texts, and metadata, which were then processed with AI to identify potential targets for airstrikes in Gaza. The system expanded from West Bank monitoring—where 3 million Palestinians live under occupation—to full deployment during the Gaza offensive, aiding in research and identification of bombing sites.
The data repositories were housed in Azure’s European regions, specifically North Europe (Ireland) and West Europe (Netherlands), subjecting them to GDPR oversight. This extraterritorial storage raised immediate legal red flags, as GDPR mandates explicit consent or a legitimate interest for processing sensitive personal data, neither of which applied to bulk civilian intercepts, according to privacy experts. The regulation, enacted in 2018, aims to safeguard EU residents’ information from misuse, with provisions against transfers to non-adequate jurisdictions unless safeguards like standard contractual clauses are in place. Critics argue Microsoft’s contracts with the IDF bypassed these, treating the data as customer-owned without scrutinizing end-use.
Microsoft’s initial response was measured. On August 15, 2025, the company launched an internal review, stating it had found no evidence to date that Azure or AI tools were used to target or harm people in Gaza. However, by September 25, preliminary findings shifted course. President Brad Smith announced the termination of specific subscriptions for an unnamed IDF unit, disabling access to cloud storage and AI services in the Netherlands. “We do not provide technology to facilitate mass surveillance of civilians,” Smith wrote in a blog post, emphasizing compliance with terms of service. The move did not affect broader cybersecurity support to Israel or the region.
The complaint alleges this was too little, too late—and potentially obstructive. Citing whistleblower accounts from within Microsoft, Ekō and ICCL claim the company rapidly offloaded vast quantities of illegally captured surveillance data from EU servers shortly after The Guardian’s August exposé, in early August 2025. Sources indicated the data was transferred to Amazon Web Services, frustrating potential investigations and violating GDPR’s storage limitation and integrity principles. A Microsoft spokesperson countered: “Our customers own their data, and the actions taken by this customer to transfer their data in August were their choice. These actions in no way impeded our investigation.” The firm maintains it respects customer privacy and cannot access content without permission.
The broader context underscores escalating scrutiny of Big Tech’s entanglement in geopolitical conflicts. Israel’s Gaza operations, now in their third year, have drawn genocide accusations from UN experts and rights groups, with over 65,000 Palestinian deaths reported. A July 2025 UN report labeled corporate cloud providers like Microsoft part of an “economy of genocide,” noting how Azure enhanced military decision-making and surveillance. Internally, Microsoft has faced protests: Employees disrupted CEO Satya Nadella’s May 2025 keynote, decrying Azure’s role in Israeli war crimes, leading to firings. Investor pressure mounted too, with a July shareholder resolution from over 60 filers representing $80 million in shares demanding human rights due diligence.
Ekō’s Rewan Haddad framed the complaint as a pivot: “Microsoft is no longer just a tech company—it’s acting as a weapons company, empowering a military state under investigation for genocide.” ICCL’s Fritz-Jochen O’Brien echoed this, calling for the DPC to wield its full powers given the real-world violence enabled by EU infrastructure. Pro-Palestinian groups like the Council on American-Islamic Relations hailed the filing as a step toward accountability, while No Azure for Apartheid demanded a full severance of military ties.
Microsoft, with Azure powering 30% of global cloud workloads, insists its principles apply universally. Yet, the DPC’s assessment could ripple: Similar complaints have led to €1.2 billion fines against Meta and others for data transfers. Legal analysts predict a protracted probe, potentially involving other EU watchdogs via the European Data Protection Board.
As the complaint advances, it spotlights a tension at tech’s frontier—innovation versus ethics. For Palestinians under surveillance and EU citizens whose communications cross borders, the stakes are profoundly human. The DPC’s next moves, expected in coming weeks, could redefine how cloud giants navigate war zones.
