Microsoft Responds to Dutch DPIA with Privacy Control for Office ProPlus

Office, the Dutch Government, and Telemetry

Last November, I reported that a Data Protection Impact Assessment (DPIA) report done on behalf of the Dutch Government slammed Microsoft because of the way that Office apps transmitted so much data back to the Redmond mother ship. The report referred to the “large-scale and covert collection of personal data,” a big no-no in the era of GDPR.

Yesterday, Microsoft announced that they will include additional privacy controls to allow Office 365 tenants to manage the data Office ProPlus for Windows (version 1904 onwards) sends to Microsoft (Figure 1).

Office ProPlus Privacy Controls
Figure 1: Microsoft says Office ProPlus gets extra privacy controls

Microsoft also says that “work is underway to enable these (privacy) controls for Office on other platforms.” My assumption is that this statement refers to Office for Mac and the Office mobile apps. Microsoft is only delivering the privacy controls for the click-to-run version of Office. There’s no word about if customers running the MSI version of Office will see the same kind of privacy controls and when. If forced to guess, I’d say no because Microsoft is doing as much as they can to influence customers to move to the click-to-run version of Office.

Privacy and the Office 365 Server Apps

Microsoft’s announcement contains nothing about what they might do to control telemetry transmitted back by the Office 365 server apps: Exchange Online, SharePoint Online, Teams, OneDrive for Business, Planner, and so on gather a heap of data about how people work, collaborate, share, and interact. Some of that data is surfaced in applications like Delve and MyAnalytics, but there’s much more captured in the Microsoft Graph and other telemetry to help Microsoft engineering groups understand how their software works in different circumstances.

Going forward, as Microsoft seeks to include more artificial intelligence in Office 365, I think respecting customer privacy is one of the biggest challenges they face. Everyone loves new functionality, but only if it’s delivered in such a way that Microsoft lives up to their commitment that customer data is owned by customers.

Sometimes in the past, as in the ill-fated attempt to create Office 365 groups for managers and their direct reports, that commitment has wavered. On the surface, the proposal seemed to deliver lots of value, but creating a batch of objects in customer directories without approval is unacceptable, as was the more recent idea to create a transport rule to encrypt some messages, something that could have affected business logic implemented in other transport rules.

The Balancing Act

Gathering telemetry helps Microsoft improve their software. It’s something people always probably knew was happening without ever realizing just how pervasive the acquisition and analysis of data had become. The Dutch DPIA did everyone a favor by highlighting the issue and forcing Microsoft to respond. It will now be interesting to see how organizations use the new privacy controls.

Note: On November 18, 2019, Microsoft announced changes to their Online Services Terms. Microsoft will take on extra responsibility as the GDPR data controller of some of the data they collect.