Upcoming Webinar
Cayosoft Shows How Forest Recovery Tech Addresses Survey Issues
Join this webinar and not only learn about what your peers are doing, but also learn about a new patent-pending modern approach to AD forest recovery from Cayosoft.
New episode!
The Scoop on Loop: The Latest Innovations Directly From Microsoft!
Darrell Webster speaks to Rebecca Keys, a Program Manager from the Microsoft Loop team.
Turn Data Protection into an MRR Growth Engine
Security for your customers, revenue for your MSP practice. Access key insights on how to scale your practice with SkyKick’s new eGuide.
MSP eGuide to Package, Sell and Deliver M365 Security Services
Based on input from our top-performing MSPs, SkyKick prepared the MSP Guide to help you navigate the security landscape.

Dutch Report Slams Microsoft for GDPR Violations in Office

Office 365 with Teams

Dutch Government Data Assessment and Office

A blog posted on November 13 by the Privacy Company in the Netherlands slams Microsoft for the amount of telemetry and diagnostic data gathered by Office applications without customer control. The report is based on work done for the Dutch SLM Rijk organization, which deals with Microsoft for procurement of its services for use within the Dutch government.

The information presented is after a Data Protection Impact Assessment (DPIA) done by the Privacy Company for SLM Rijk. Under the European Union’s General Data Protection Regulations (GDPR), companies must perform a DPIA for new high-risk processing projects. To get the full picture, you can download and read the complete PDF of the complete DPIA.

Largescale Covert Collection of Personal Data

The original focus of the DPIA considered the telemetry gathered by Windows 10 Enterprise but switched to Office 2016 (MSI and Click to Run) and the Office online apps as used by Office 365. According to the report, Microsoft told SLM Rijk that 23,000 to 25,000 different events are gathered by Office and sent to Microsoft for analysis by between 20 and 30 engineering teams.

Although this isn’t the first time that people have raised concerns about the collection of diagnostic data for Office (here’s an example), the Dutch report calls this activity “large scale and covert collection of personal data” and points out that there’s no way for an individual user or an Office 365 admin to turn off the collection.

On the surface, acquiring telemetry spanning such a wide spectrum of events is goodness because it allows Microsoft to understand how people use the Office apps and where problems happen. Many who have spoken to Microsoft engineers recently are familiar with the mantra that “the telemetry tells us…” trotted out to explain why software behaves that it does.

Personal Data and GDPR

But the problem is that Microsoft very likely includes personal data in the information it gathers and analyses. GDPR is very strict on defining personal data as “any information relating to an identified or identifiable natural person (the data subject).” Although the definition is open to interpretation, many consider that elements like IP addresses come within its scope.

Another issue pointed to in the report is the use of connected services which can collect data. For instance, if you use Teams to translate a message, the original language text is transmitted to Microsoft, translated there, and the translated text is returned to the client. The original text could contain personal data.

Further problems might come from Office 365 audit data, which can hold snippets of personal data such as the subject of email messages. Take Figure 1 for instance, which shows an audit record captured when a delegate removed a message from an Exchange Online mailbox. The message subject is clearly visible. Although the subject isn’t very exciting in this example, you can imagine how more interesting and informative subjects might turn up during an audit log search.

Audit Data Office 365 — Figure 1: : Personal data in an Office 365 audit record (image credit: Tony Redmond)

Only Microsoft Knows

Grabbing tens of thousands of events accrued during user sessions with applications like Teams, OWA, Planner, SharePoint Online, and OneDrive for Business and the Office desktop apps casts a wide net that probably includes some personal data. Without showing organizations exactly what data is captured from its user activities, only Microsoft can say with certainty that no personal data is collected.

One example of how Microsoft might use the vast amount of telemetry data sitting in its Cosmos databases is the recent failed attempt to send Office 365 users “helpful training and tips via email.” Although Microsoft has backed down from this idea, there’s a lingering suspicion that the personalized tips might be based on the data gathered about Office 365 usage.

Because of the amount of information captured by Microsoft and its storage in the U.S., the Dutch report considers Microsoft to be a joint controller and not a data processor under GDPR Article 26. This imposes more responsibility on Microsoft to manage personal data.

Strong Recommendations

Microsoft is responding to the queries raised in the DPIA, but you can see the obvious frustration at the lack of formal written responses. While the Privacy Company awaits Microsoft’s answers, they’ve issued some advice to admins about how to lower the risks of using Office. Some of the steps suggested by Privacy Online are sensible, like stopping Office sending data back to Microsoft to “Improve Office” or using the zero-exhaust mode for Windows. Others are a tad radical for my taste. For instance, periodically deleting and recreating the accounts of VIP users might remove telemetry for those accounts, but it also removes any sharing permissions the accounts have in other tenants.

No reasons are given for the recommendation that you don’t use SharePoint Online or OneDrive for Business in the report, but the DPIA gives more insight in that information stored by these apps includes details of how employees access, send, or receive labelled information. I guess the same reason lies behind the recommendation not to use the web-only version of Office 365 (like OWA). In both cases, is this enough to stop you using major parts of Office 365?

Pragmatic Approach Needed

The Dutch report does the Office 365 community some service by highlighting the way Microsoft gathers and uses data without telling customers what data is collected and where it is stored. In the era of GDPR when large fines await those who fail to obey the regulations, data processors and controllers can’t adopt such a blasé attitude to personal data.

It will be interesting to hear how Microsoft responds to the DPIA. They can hardly ignore the Dutch government. Let’s hope that Microsoft can come up with a pragmatic and effective approach to meet their GDPR obligations.

by Tony Redmond
Nov 14, 2018

Tony Redmond has written thousands of articles about Microsoft technology since 1996. He covers Office 365 and associated technologies for Petri.com and is also the lead author for the Office 365 for IT Pros eBook, updated monthly to keep pace with c...

How to Grant Full Mailbox Access to Users in Office 365 and Exchange Server

Aug 4, 2023
Aug 08, 2023
Microsoft and AI: What Is the Copilot Semantic Index and How Does It Work?

Feb 6, 2024
Mar 21, 2024
Nested Microsoft 365 Groups: What You Need to Know

Jul 12, 2023

Take our survey

PETRI NEWSLETTERS

Join Petri Insider

Create a free account today to participate in forum conversations, comment on posts and more.