Microsoft Investigated for Potential GDPR Breach
A report by the Dutch Government could place Microsoft in the GDPR crosshairs after allegations that the company breached privacy legislation.
An investigation into how information, handled by some 300,000 Government employees, was processed by Microsoft suggests the firm carried out “large-scale and covert” data gathering through its Office apps.
Microsoft broke GDPR guidelines due to its alleged collection of correspondence from Office applications, including email titles and sentences where translation or spellchecker programmes were used. Additionally, it is alleged to have covertly stored this data on systems located in the US.
The report, which was compiled by Privacy Company, stated: “Microsoft systematically collects data on a large scale about the individual use of Word, Excel, PowerPoint and Outlook. Covertly, without informing people.”
In the Spotlight
Microsoft does not publicly reveal the extent of its information gathering, nor does it provide options for turning off diagnostic and telemetry data sent by its Office software to the company.
The company’s reason for this is to ensure it can monitor application functions and pinpoint software issues. According to the report, the majority of what Microsoft collects is diagnostic data, and it has previously tried to ensure the system is GDPR compliant by storing documents on EU-based servers.
However, researchers also found that data collected by the firm contained sensitive information that often finds its way to US servers.
In addition to this, authorities have taken issue with the fact that Microsoft does not offer an opt-out option, which other organisations often provide.
“Microsoft does not offer any choice with regard to the amount of data, or possibility to switch off the collection, or ability to see what data are collected, because the data stream is encoded.”
Ultimately, the investigation concludes that Microsoft has violated GDPR “on many counts” – which includes a “lack of transparency and purpose limitation” as well as “the lack of legal ground for the processing” of data.
Dutch authorities said they are working with Microsoft to resolve the issue and that the company has compiled an ‘improvement plan’ – which regulators believe could fully resolve the dispute and stop future violations.
The report says that Microsoft is “committed” to submitting changes for verification in April 2019, and has offered to provide a “zero exhaust” version of Office. This version, researchers insisted, should be applied by public bodies using Office apps.
If changes aren’t made, the report noted, Microsoft could be subject to intense scrutiny, with a privacy watchdog warning of enforcement measures.
“If progress is deemed insufficient or if the improvements offered are unsatisfactory, SLM Microsoft Rijk will reconsider its position and may ask the Data Protection Authority to carry out a prior consultation and to impose enforcement measures,” the report stated.