Microsoft Responds to Dutch DPIA with Privacy Control for Office ProPlus
Office, the Dutch Government, and Telemetry
Last November, I reported that a Data Protection Impact Assessment (DPIA) report done on behalf of the Dutch Government slammed Microsoft because of the way that Office apps transmitted so much data back to the Redmond mother ship. The report referred to the “large-scale and covert collection of personal data,” a big no-no in the era of GDPR.
Yesterday, Microsoft announced that they will include additional privacy controls to allow Office 365 tenants to manage the data Office ProPlus for Windows (version 1904 onwards) sends to Microsoft (Figure 1).
Microsoft also says that “work is underway to enable these (privacy) controls for Office on other platforms.” My assumption is that this statement refers to Office for Mac and the Office mobile apps. Microsoft is only delivering the privacy controls for the click-to-run version of Office. There’s no word about if customers running the MSI version of Office will see the same kind of privacy controls and when. If forced to guess, I’d say no because Microsoft is doing as much as they can to influence customers to move to the click-to-run version of Office.
Privacy and the Office 365 Server Apps
Microsoft’s announcement contains nothing about what they might do to control telemetry transmitted back by the Office 365 server apps: Exchange Online, SharePoint Online, Teams, OneDrive for Business, Planner, and so on gather a heap of data about how people work, collaborate, share, and interact. Some of that data is surfaced in applications like Delve and MyAnalytics, but there’s much more captured in the Microsoft Graph and other telemetry to help Microsoft engineering groups understand how their software works in different circumstances.
Going forward, as Microsoft seeks to include more artificial intelligence in Office 365, I think respecting customer privacy is one of the biggest challenges they face. Everyone loves new functionality, but only if it’s delivered in such a way that Microsoft lives up to their commitment that customer data is owned by customers.
Sometimes in the past, as in the ill-fated attempt to create Office 365 groups for managers and their direct reports, that commitment has wavered. On the surface, the proposal seemed to deliver lots of value, but creating a batch of objects in customer directories without approval is unacceptable, as was the more recent idea to create a transport rule to encrypt some messages, something that could have affected business logic implemented in other transport rules.
The Balancing Act
Gathering telemetry helps Microsoft improve their software. It’s something people always probably knew was happening without ever realizing just how pervasive the acquisition and analysis of data had become. The Dutch DPIA did everyone a favor by highlighting the issue and forcing Microsoft to respond. It will now be interesting to see how organizations use the new privacy controls.
Note: On November 18, 2019, Microsoft announced changes to their Online Services Terms. Microsoft will take on extra responsibility as the GDPR data controller of some of the data they collect.
More in Office 365
M365 Changelog: (Updated) Loop components in Outlook Mail Preview
Oct 22, 2022 | Rabia Noureen
How to Schedule an Email in Outlook
Sep 14, 2022 | Siji Roy
ESPC22 Conference Discount for Petri Readers
Sep 6, 2022 | Russell Smith
Microsoft Defender for Office 365 Gets Differentiated Protection for Priority Accounts
Apr 14, 2022 | Rabia Noureen
Microsoft 365 Non-Profit Plans to Get a Price Hike in September
Apr 11, 2022 | Rabia Noureen
Microsoft to Launch Office 365 Government Secret Cloud in Mid-2022
Mar 29, 2022 | Rabia Noureen
Most popular on petri