Office|Office 365

Microsoft Responds to Dutch DPIA with Privacy Control for Office ProPlus

Office, the Dutch Government, and Telemetry

Last November, I reported that a Data Protection Impact Assessment (DPIA) report done on behalf of the Dutch Government slammed Microsoft because of the way that Office apps transmitted so much data back to the Redmond mother ship. The report referred to the “large-scale and covert collection of personal data,” a big no-no in the era of GDPR.

Yesterday, Microsoft announced that they will include additional privacy controls to allow Office 365 tenants to manage the data Office ProPlus for Windows (version 1904 onwards) sends to Microsoft (Figure 1).

Figure 1: Microsoft says Office ProPlus gets extra privacy controls

Microsoft also says that “work is underway to enable these (privacy) controls for Office on other platforms.” My assumption is that this statement refers to Office for Mac and the Office mobile apps. Microsoft is only delivering the privacy controls for the click-to-run version of Office. There’s no word about if customers running the MSI version of Office will see the same kind of privacy controls and when. If forced to guess, I’d say no because Microsoft is doing as much as they can to influence customers to move to the click-to-run version of Office.

Privacy and the Office 365 Server Apps

Microsoft’s announcement contains nothing about what they might do to control telemetry transmitted back by the Office 365 server apps: Exchange Online, SharePoint Online, Teams, OneDrive for Business, Planner, and so on gather a heap of data about how people work, collaborate, share, and interact. Some of that data is surfaced in applications like Delve and MyAnalytics, but there’s much more captured in the Microsoft Graph and other telemetry to help Microsoft engineering groups understand how their software works in different circumstances.

Sponsored Content

Devolutions Remote Desktop Manager

Devolutions RDM centralizes all remote connections on a single platform that is securely shared between users and across the entire team. With support for hundreds of integrated technologies — including multiple protocols and VPNs — along with built-in enterprise-grade password management tools, global and granular-level access controls, and robust mobile apps to complement desktop clients.

Going forward, as Microsoft seeks to include more artificial intelligence in Office 365, I think respecting customer privacy is one of the biggest challenges they face. Everyone loves new functionality, but only if it’s delivered in such a way that Microsoft lives up to their commitment that customer data is owned by customers.

Sometimes in the past, as in the ill-fated attempt to create Office 365 groups for managers and their direct reports, that commitment has wavered. On the surface, the proposal seemed to deliver lots of value, but creating a batch of objects in customer directories without approval is unacceptable, as was the more recent idea to create a transport rule to encrypt some messages, something that could have affected business logic implemented in other transport rules.

The Balancing Act

Gathering telemetry helps Microsoft improve their software. It’s something people always probably knew was happening without ever realizing just how pervasive the acquisition and analysis of data had become. The Dutch DPIA did everyone a favor by highlighting the issue and forcing Microsoft to respond. It will now be interesting to see how organizations use the new privacy controls.

Note: On November 18, 2019, Microsoft announced changes to their Online Services Terms. Microsoft will take on extra responsibility as the GDPR data controller of some of the data they collect.

Related Topics:


Don't have a login but want to join the conversation? Sign up for a Petri Account

Comments (2)

2 responses to “Microsoft Responds to Dutch DPIA with Privacy Control for Office ProPlus”

  1. <p>Just one minor point:</p><p><em>"If no changes are made by the organization, all such data will continue to be sent."</em></p><p>That still contravenes GDPR. It has to be opt-in, which means with 1904 it should automatically stop sending the data, until the organization turns the metrics back on.</p><p>And how do you disable the reporting with Office 365 Home or Personal? They are also both in contravention of GDPR.</p><p>Still, a small move in the right direction. More than can be said of most of the industry.</p>

  2. <p>One of the questions raised at the time of the DPIA's publication was whether Microsoft would release its "solution" on a geo-constrained basis (Netherlands only, or Europe only), or go global with it. While yes, there is still space for improvement, the first step in making the controls available everywhere is a good one.</p>

Leave a Reply

Tony Redmond has written thousands of articles about Microsoft technology since 1996. He covers Office 365 and associated technologies for and is also the lead author for the Office 365 for IT Pros eBook, updated monthly to keep pace with change in the cloud.