In November, the Dutch government accused Microsoft of breaking GDPR data privacy rules by processing personal data, including the content of private emails, without the knowledge  of the data subjects, contrary to the Right to Information.  Further, it was exporting the data outside of the EEA, again without the knowledge of data subjects, and contrary to the data exporting rules.

The Dutch government instigated an investigation into how Microsoft handled the personal data processed by the Ministry of Justice’s employees using Microsoft’s ProPlus suite.  This is software which, installed on PC’s, connects to Office 365 Servers.

Microsoft response:

Microsoft responded that it collected data for functional and security purposes.  However, the investigation found that the data collected includes email subject lines and snippets of content, as well as sentences where spellchecker or translation was used.

Microsoft collected telemetry data, part of normal software monitoring, of users of Word, Excel, PowerPoint and Outlook.  However, the data also included sentences from Microsoft Word or lines of emails if certain actions, such as using a spell-checker, were detected.

In addition, this content was found on servers in the US, a clear breach of GDPR which prohibits transfer personal data of Europeans outside the EEA, without informing the data subjects and meeting other specific requirements.

The investigation reported:

“Data provided by and about users was being gathered through Windows 10 Enterprise and Microsoft Office and stored in a database in the US in a way that posed major risks to users’ privacy.”

Under GDPR, companies can be fined for gathering unnecessary user data or for data breaches. For the moment, the Dutch data protection authority has concluded that Microsoft has violated GDPR “on many counts” including “lack of transparency and purpose limitation, and the lack of a legal ground for the processing.”

What next?

Microsoft agreed in October to undertake an improvement plan for its services to be verified by the regulator in April 2019.  The Dutch data regulator has warned that if Microsoft does not make progress on its data processing it will consider enforcement measures. In other words, potentially a monster fine.

In February 2019 it was reported that Microsoft plans an upgrade to Office Pro Plus in April 2019 to address the issues that diagnostic data was routinely sent to the US without informing users.  The initial audit carried out on behalf of the Dutch authorities found that Microsoft was systematically collecting data on a large scale about individuals’ use of Office Word, Excel, PowerPoint and Outlook.  This data collection was taking place covertly, data subjects not being informed nor was there any opportunity not to participate in supplying the data.