Microsoft is under review in the European Union after a non-profit organisation filed a complaint accusing the company of illegally storing data on Palestinians that was later used for Israeli military surveillance.

The Irish Data Protection Commission said it received the complaint and confirmed it is “currently under assessment.” Because Microsoft’s European headquarters are in Ireland, the DPC serves as the company’s lead regulator in the EU.

The complaint was filed by Eko, a group that describes itself as focused on “people and planet over profits.” It claims Microsoft breached EU data protection rules by handling personal data belonging to Palestinians and EU citizens in a way that enabled “surveillance, targeting, and occupation by the Israeli military.”

The filing is linked to a report in The Guardian, which stated that the Israeli Defence Forces used Microsoft’s Azure cloud platform to store files from phone calls gathered through broad civilian surveillance in Gaza and the West Bank.

After looking into the report, Microsoft restricted the Israeli military’s access to certain cloud services in September. Eko now says whistleblowers at Microsoft have provided new information suggesting the company quickly removed large volumes of “illegally captured surveillance data” after the news report was published.

A Microsoft spokesperson said the data in question was moved by the customer, not the company. “Our customers own their data, and the actions taken by this customer to transfer their data in August were their choice. These actions in no way impeded our investigation,” the spokesperson said.

According to The Guardian, the data had been stored on servers in Ireland and the Netherlands, which places it under the EU’s General Data Protection Regulation. The regulation, introduced in 2018, sets strict rules on how companies collect, store, and use personal information.