Users told to ditch OneDrive and Office 365 to avoid 'covert' data harvesting

Microsoft now faces sanctions as investigators claim the policy breaches GDPR

Office 365 logo being viewed through a magnifying glass

Dutch investigators have put Microsoft on alert over regulatory action after ruling its data collection methods posed a risk to user privacy.

Microsoft Office and Windows 10 Enterprise uses a telemetry data collection mechanism that breaches the EU's General Data Protection Regulation (GDPR), according to a 91-page report commissioned by the Dutch government, and conducted by firm Privacy Company.

Advertisement - Article continues below

The findings outlined eight high-risk data protection risks with ProPlus subscriptions of Office 2016 and Office 365, as well as the web-based Office 365.

These include unlawful storage of sensitive categories of data and metadata, and keeping data beyond the time needed. The investigators also found that Microsoft incorrectly categorised itself as a data processor instead of a joint-controller.

"Microsoft not only collects use data via the inbuilt telemetry client, but also records and stores the individual use of Connected Services," said Sjoera Nas, senior privacy adviser at Privacy Company.

"For example, if users access a Connected Service such as the translate service through the Office software, Microsoft can store the personal data about this usage in so-called system-generated event logs."

Microsoft systematically collected data about individuals' use of Microsoft Office apps such as Word, Excel and PowerPoint without informing people, and did not offer users a choice to turn this off, the report found.

Advertisement - Article continues below
Advertisement - Article continues below

As with Windows 10, Microsoft included separate software in Office that routinely sent encoded telemetry to the United States, with the encoded functionality meaning there is no visibility over what data is collected, according to the findings.

The lack of any comprehensive documentation over what type of personal data the Redmond-based company processes, and on clearly defined purposes, also sounded alarms, as did the fact that data was routinely sent to the US.

These particularly concerned Dutch officials as sensitive government data may have been harvested as part of the mechanism and wound up on US servers that are subject to seizure or query by US law enforcement.

With GDPR now several months into play, data watchdogs across Europe are beginning to take their first steps in the new regulatory landscape. Microsoft is the latest in a line of major companies accused of breaching GDPR, with Oracle and Equifax among seven firms reported for violations by a data rights group last week.

Advertisement - Article continues below

"On 26 October 2018 agreement was reached on an improvement plan in which Microsoft undertook to adapt its products for use by the Dutch government in compliance with the GDPR and other applicable legislation," the Dutch government said in a statement.

"Microsoft has agreed to report regularly on its progress. If progress is deemed insufficient or if the improvements offered are unsatisfactory, SLM Microsoft Rijk will reconsider its position and may ask the Data Protection Authority to carry out a prior consultation and to impose enforcement measures."

Privacy Company's Sjoera Nas also outlined several measures IT administrators can take to lower the risks of privacy breaches, such as centrally blocking the use of Connected Services, not using OneDrive, and not using the web-only version of Office 365.

Microsoft has agreed to implement a series of changes to its products to reflect the findings, and have until April 2019 to comply, with the Dutch government blocking dataflows to Microsoft as much as possible in the meantime.

Advertisement - Article continues below

If the firm does not satisfy the regulator's demands it may face a fine which, under GDPR, can escalate to as high as 20 million, or 4% of global annual turnover, whichever is higher.

"We are committed to our customers' privacy, putting them in control of their data and ensuring that Office ProPlus and other Microsoft products and services comply with GDPR and other applicable laws," a Microsoft spokesperson told IT Pro.

"We appreciate the opportunity to discuss our diagnostic data handling practices in Office ProPlus with the Dutch Ministry of Justice and look forward to a successful resolution of any concerns."

Featured Resources

Preparing for long-term remote working after COVID-19

Learn how to safely and securely enable your remote workforce

Download now

Cloud vs on-premise storage: What’s right for you?

Key considerations driving document storage decisions for businesses

Download now

Staying ahead of the game in the world of data

Create successful marketing campaigns by understanding your customers better

Download now

Transforming productivity

Solutions that facilitate work at full speed

Download now

Most Popular

Google Android

Over two dozen Android apps found stealing user data

7 Jul 2020

How to find RAM speed, size and type

24 Jun 2020

The road to recovery

30 Jun 2020