Dutch investigators have put Microsoft on alert over regulatory action after ruling its data collection methods posed a risk to user privacy.
Microsoft Office and Windows 10 Enterprise uses a telemetry data collection mechanism that breaches the EU’s General Data Protection Regulation (GDPR), according to a 91-page report commissioned by the Dutch government, and conducted by firm Privacy Company.
The findings outlined eight high-risk data protection risks with ProPlus subscriptions of Office 2016 and Office 365, as well as the web-based Office 365.
These include unlawful storage of sensitive categories of data and metadata, and keeping data beyond the time needed. The investigators also found that Microsoft incorrectly categorised itself as a data processor instead of a joint-controller.
“Microsoft not only collects use data via the inbuilt telemetry client, but also records and stores the individual use of Connected Services,” said Sjoera Nas, senior privacy adviser at Privacy Company. “For example, if users access a Connected Service such as the translate service through the Office software, Microsoft can store the personal data about this usage in so-called system-generated event logs.”
Microsoft systematically collected data about individuals’ use of Microsoft Office apps such as Word, Excel and PowerPoint without informing people, and did not offer users a choice to turn this off, the report found.
As with Windows 10, Microsoft included separate software in Office that routinely sent encoded telemetry to the United States, with the encoded functionality meaning there is no visibility over what data is collected, according to the findings.
The lack of any comprehensive documentation over what type of personal data the Redmond-based company processes, and on clearly defined purposes, also sounded alarms, as did the fact that data was routinely sent to the US.
These particularly concerned Dutch officials as sensitive government data may have been harvested as part of the mechanism and wound up on US servers that are subject to seizure or query by US law enforcement.
With GDPR now several months into play, data watchdogs across Europe are beginning to take their first steps in the new regulatory landscape. Microsoft is the latest in a line of major companies accused of breaching GDPR, with Oracle and Equifax among seven firms reported for violations by a data rights group last week.
“On 26 October 2018 agreement was reached on an improvement plan in which Microsoft undertook to adapt its products for use by the Dutch government in compliance with the GDPR and other applicable legislation,” the Dutch government said in a statement. “Microsoft has agreed to report regularly on its progress. If progress is deemed insufficient or if the improvements offered are unsatisfactory, SLM Microsoft Rijk will reconsider its position and may ask the Data Protection Authority to carry out a prior consultation and to impose enforcement measures.”
Privacy Company’s Sjoera Nas also outlined several measures IT administrators can take to lower the risks of privacy breaches, such as centrally blocking the use of Connected Services, not using OneDrive, and not using the web-only version of Office 365.
Microsoft has agreed to implement a series of changes to its products to reflect the findings, and have until April 2019 to comply, with the Dutch government blocking dataflows to Microsoft as much as possible in the meantime.
If the firm does not satisfy the regulator’s demands it may face a fine which, under GDPR, can escalate to as high as €20 million, or 4% of global annual turnover, whichever is higher.
“We are committed to our customers’ privacy, putting them in control of their data and ensuring that Office ProPlus and other Microsoft products and services comply with GDPR and other applicable laws,” a Microsoft spokesperson told Alphr. “We appreciate the opportunity to discuss our diagnostic data handling practices in Office ProPlus with the Dutch Ministry of Justice and look forward to a successful resolution of any concerns.”