Dutch investigators have put Microsoft on alert over regulatory action after ruling its data collection methods posed a risk to user privacy.
Microsoft Office and Windows 10 Enterprise uses telemetry data collection mechanisms that breach the EU’s General Data Protection Regulation (GDPR).
These include unlawful storage of sensitive categories of data and metadata, and keeping data beyond the time needed. The investigators also found that Microsoft incorrectly categorised itself as a data processor instead of a joint-controller.
Apparently, Microsoft not only collects use data via the inbuilt telemetry client, but also records and stores the individual use of Connected Services.
For example, if users access a Connected Service such as the translate service through the Office software, Microsoft can store the personal data about this usage in so-called system-generated event logs.
Microsoft systematically collected data about individuals’ use of Microsoft Office apps such as Word, Excel and PowerPoint without informing people, and did not offer users a choice to turn this off, the report found.
As with Windows 10, Microsoft included separate software in Office that routinely sent encoded telemetry to the United States, with the encoded functionality meaning there is no visibility over what data is collected, according to the findings.
The lack of any comprehensive documentation over what type of personal data the Redmond-based company processes, and on clearly defined purposes, also sounded alarms, as did the fact that data was routinely sent to the US.
Microsoft has agreed to report regularly on its progress. If progress is deemed insufficient or if the improvements offered are unsatisfactory, SLM Microsoft Rijk will reconsider its position and may ask the Data Protection Authority to carry out a prior consultation and to impose enforcement measures.
Microsoft has agreed to implement a series of changes to its products to reflect the findings, and have until April 2019 to comply, with the Dutch government blocking dataflows to Microsoft as much as possible in the meantime.