Users told to ditch OneDrive and Office 365 to avoid 'covert' data harvesting

Microsoft now faces sanctions as investigators claim the policy breaches GDPR

Office 365 logo being viewed through a magnifying glass

Dutch investigators have put Microsoft on alert over regulatory action after ruling its data collection methods posed a risk to user privacy.

Microsoft Office and Windows 10 Enterprise uses a telemetry data collection mechanism that breaches the EU's General Data Protection Regulation (GDPR), according to a 91-page report commissioned by the Dutch government, and conducted by firm Privacy Company.

The findings outlined eight high-risk data protection risks with ProPlus subscriptions of Office 2016 and Office 365, as well as the web-based Office 365.

These include unlawful storage of sensitive categories of data and metadata, and keeping data beyond the time needed. The investigators also found that Microsoft incorrectly categorised itself as a data processor instead of a joint-controller.

"Microsoft not only collects use data via the inbuilt telemetry client, but also records and stores the individual use of Connected Services," said Sjoera Nas, senior privacy adviser at Privacy Company.

Advertisement - Article continues below
Advertisement - Article continues below

"For example, if users access a Connected Service such as the translate service through the Office software, Microsoft can store the personal data about this usage in so-called system-generated event logs."

Microsoft systematically collected data about individuals' use of Microsoft Office apps such as Word, Excel and PowerPoint without informing people, and did not offer users a choice to turn this off, the report found.

As with Windows 10, Microsoft included separate software in Office that routinely sent encoded telemetry to the United States, with the encoded functionality meaning there is no visibility over what data is collected, according to the findings.

The lack of any comprehensive documentation over what type of personal data the Redmond-based company processes, and on clearly defined purposes, also sounded alarms, as did the fact that data was routinely sent to the US.

These particularly concerned Dutch officials as sensitive government data may have been harvested as part of the mechanism and wound up on US servers that are subject to seizure or query by US law enforcement.

Advertisement - Article continues below

With GDPR now several months into play, data watchdogs across Europe are beginning to take their first steps in the new regulatory landscape. Microsoft is the latest in a line of major companies accused of breaching GDPR, with Oracle and Equifax among seven firms reported for violations by a data rights group last week.

"On 26 October 2018 agreement was reached on an improvement plan in which Microsoft undertook to adapt its products for use by the Dutch government in compliance with the GDPR and other applicable legislation," the Dutch government said in a statement.

"Microsoft has agreed to report regularly on its progress. If progress is deemed insufficient or if the improvements offered are unsatisfactory, SLM Microsoft Rijk will reconsider its position and may ask the Data Protection Authority to carry out a prior consultation and to impose enforcement measures."

Privacy Company's Sjoera Nas also outlined several measures IT administrators can take to lower the risks of privacy breaches, such as centrally blocking the use of Connected Services, not using OneDrive, and not using the web-only version of Office 365.

Microsoft has agreed to implement a series of changes to its products to reflect the findings, and have until April 2019 to comply, with the Dutch government blocking dataflows to Microsoft as much as possible in the meantime.

Advertisement - Article continues below

If the firm does not satisfy the regulator's demands it may face a fine which, under GDPR, can escalate to as high as 20 million, or 4% of global annual turnover, whichever is higher.

Advertisement - Article continues below

"We are committed to our customers' privacy, putting them in control of their data and ensuring that Office ProPlus and other Microsoft products and services comply with GDPR and other applicable laws," a Microsoft spokesperson told IT Pro.

"We appreciate the opportunity to discuss our diagnostic data handling practices in Office ProPlus with the Dutch Ministry of Justice and look forward to a successful resolution of any concerns."

Featured Resources

What you need to know about migrating to SAP S/4HANA

Factors to assess how and when to begin migration

Download now

Your enterprise cloud solutions guide

Infrastructure designed to meet your company's IT needs for next-generation cloud applications

Download now

Testing for compliance just became easier

How you can use technology to ensure compliance in your organisation

Download now

Best practices for implementing security awareness training

How to develop a security awareness programme that will actually change behaviour

Download now

Most Popular

Microsoft Windows

What to do if you're still running Windows 7

14 Jan 2020
operating systems

17 Windows 10 problems - and how to fix them

13 Jan 2020
Microsoft Windows

Memes and Viking funerals: The internet reacts to the death of Windows 7

14 Jan 2020

Dell XPS 13 (New 9300) hands-on review: Chasing perfection

14 Jan 2020