Dutch Report Slams Microsoft for GDPR Violations in Office

Office 365 with Teams

Dutch Government Data Assessment and Office

A blog posted on November 13 by the Privacy Company in the Netherlands slams Microsoft for the amount of telemetry and diagnostic data gathered by Office applications without customer control. The report is based on work done for the Dutch SLM Rijk organization, which deals with Microsoft for procurement of its services for use within the Dutch government.

The information presented is after a Data Protection Impact Assessment (DPIA) done by the Privacy Company for SLM Rijk. Under the European Union’s General Data Protection Regulations (GDPR), companies must perform a DPIA for new high-risk processing projects. To get the full picture, you can download and read the complete PDF of the complete DPIA.

Largescale Covert Collection of Personal Data

The original focus of the DPIA considered the telemetry gathered by Windows 10 Enterprise but switched to Office 2016 (MSI and Click to Run) and the Office online apps as used by Office 365. According to the report, Microsoft told SLM Rijk that 23,000 to 25,000 different events are gathered by Office and sent to Microsoft for analysis by between 20 and 30 engineering teams.

Although this isn’t the first time that people have raised concerns about the collection of diagnostic data for Office (here’s an example), the Dutch report calls this activity “large scale and covert collection of personal data” and points out that there’s no way for an individual user or an Office 365 admin to turn off the collection.

On the surface, acquiring telemetry spanning such a wide spectrum of events is goodness because it allows Microsoft to understand how people use the Office apps and where problems happen. Many who have spoken to Microsoft engineers recently are familiar with the mantra that “the telemetry tells us…” trotted out to explain why software behaves that it does.

Personal Data and GDPR

But the problem is that Microsoft very likely includes personal data in the information it gathers and analyses. GDPR is very strict on defining personal data as “any information relating to an identified or identifiable natural person (the data subject).” Although the definition is open to interpretation, many consider that elements like IP addresses come within its scope.

Another issue pointed to in the report is the use of connected services which can collect data. For instance, if you use Teams to translate a message, the original language text is transmitted to Microsoft, translated there, and the translated text is returned to the client. The original text could contain personal data.

Further problems might come from Office 365 audit data, which can hold snippets of personal data such as the subject of email messages. Take Figure 1 for instance, which shows an audit record captured when a delegate removed a message from an Exchange Online mailbox. The message subject is clearly visible. Although the subject isn’t very exciting in this example, you can imagine how more interesting and informative subjects might turn up during an audit log search.

Audit Data Office 365
Figure 1: : Personal data in an Office 365 audit record (image credit: Tony Redmond)

Only Microsoft Knows

Grabbing tens of thousands of events accrued during user sessions with applications like Teams, OWA, Planner, SharePoint Online, and OneDrive for Business and the Office desktop apps casts a wide net that probably includes some personal data. Without showing organizations exactly what data is captured from its user activities, only Microsoft can say with certainty that no personal data is collected.

One example of how Microsoft might use the vast amount of telemetry data sitting in its Cosmos databases is the recent failed attempt to send Office 365 users “helpful training and tips via email.” Although Microsoft has backed down from this idea, there’s a lingering suspicion that the personalized tips might be based on the data gathered about Office 365 usage.

Because of the amount of information captured by Microsoft and its storage in the U.S., the Dutch report considers Microsoft to be a joint controller and not a data processor under GDPR Article 26. This imposes more responsibility on Microsoft to manage personal data.

Strong Recommendations

Microsoft is responding to the queries raised in the DPIA, but you can see the obvious frustration at the lack of formal written responses. While the Privacy Company awaits Microsoft’s answers, they’ve issued some advice to admins about how to lower the risks of using Office. Some of the steps suggested by Privacy Online are sensible, like stopping Office sending data back to Microsoft to “Improve Office” or using the zero-exhaust mode for Windows. Others are a tad radical for my taste. For instance, periodically deleting and recreating the accounts of VIP users might remove telemetry for those accounts, but it also removes any sharing permissions the accounts have in other tenants.

No reasons are given for the recommendation that you don’t use SharePoint Online or OneDrive for Business in the report, but the DPIA gives more insight in that information stored by these apps includes details of how employees access, send, or receive labelled information. I guess the same reason lies behind the recommendation not to use the web-only version of Office 365 (like OWA). In both cases, is this enough to stop you using major parts of Office 365?

Pragmatic Approach Needed

The Dutch report does the Office 365 community some service by highlighting the way Microsoft gathers and uses data without telling customers what data is collected and where it is stored. In the era of GDPR when large fines await those who fail to obey the regulations, data processors and controllers can’t adopt such a blasé attitude to personal data.

It will be interesting to hear how Microsoft responds to the DPIA. They can hardly ignore the Dutch government. Let’s hope that Microsoft can come up with a pragmatic and effective approach to meet their GDPR obligations.