Microsoft will make Office Pro Plus GDPR compliant

[German]If the reports are true, Microsoft is planning to update Office Pro Plus so that it meets the DSGVO requirements. Here is some information about the background of this move.

Microsoft's Office and the collision with GDPR

First a short review: In November 2018 I had reported about a serious problem within my article Dutch report says Microsoft Office is not GDPR compliant. Microsoft spies on users through its Office Pro Plus modules. However, this does not comply with the european GDPR.

This was the result of an audit initiated by the Dutch Ministry of Security and Justice. The Dutch authorities also use Microsoft Office. The Ministry wanted to make sure that the software used was in compliance with the Basic Data Protection Regulation (GDPR) and legal provisions.

The result, disclosed in the document Impact assessment shows privacy risks Microsoft Office ProPlus Enterprise was frightening. Microsoft collects and stores personal information about the behavior of individual employees on a large scale without any public documentation. The Ministry's Data Protection Impact Assessment (DPIA) report is available here. Office 2016 and Office 365 were investigated, the details may also be read within my blog post Dutch report says Microsoft Office is not GDPR compliant.

Microsoft will update Office Pro Plus

The report of the Dutch authority probably forced Microsoft to act. Mary Foley points out in a tweet that Microsoft is planning changes.

The base of Foley's article is the Politico article Microsoft to update Office Pro Plus after Dutch ministry questions privacy. According to this article, Microsoft plans to update its Office Pro Plus products by the end of April 2019. This is to address a number of privacy concerns raised in the audit commissioned by the Dutch Ministry of Justice.

According to Politico, Microsoft has confirmed the update. This update is intended to address concerns about DSGVO compliance when Office Pro Plus is used in enterprise environments. The goal is to address the current uncertainty that diagnostic data will be transferred from Europe to the United States without adequate documentation and user control over what has been sent.

Microsoft and the Dutch Ministry of Justice had agreed on the changes as part of an "improvement plan" with a deadline of April 2019. A Ministry spokesman told POLITICO that if Microsoft's responses or improvements proved "unsatisfactory", the Ministry would reserve the right to take further "enforcement action". 

In a statement, Microsoft's privacy and regulatory advisor Julie Brill says that the Dutch Ministry had commissioned the audit as a customer of Microsoft and had not taken any regulatory action against the company. According to Brill, they are working with the Ministry's staff to share additional information and help resolve their issues. She is convinced that Office Pro Plus 'complies with Dutch law and GDPR'.

"We feel good about what we're doing to give customers transparency and choice on the diagnostic data they share with us, but we always want to do more," Brill said. "In the coming weeks we will take additional steps to make it easier for customers to understand what data needs to go to Microsoft to run our services and why, and where data-sharing is optional." If Microsoft rolls out an update, this is of course available for all Office Pro Plus users.

If Microsoft's changes are not sufficient to satisfy the Dutch authorities, they may go one step further. Under EU data protection legislation, the Irish Data Protection Commission (DPC) is the "lead supervisory authority" responsible for ensuring that Microsoft complies with the rules. If the Netherlands decides that its concerns have not been allayed, it could refer a request with the relevant questions to the Irish regulator. In the meantime, all questions will be closely monitored by the European Data Protection Council, to which all EU data protection authorities belong, and by the European Data Protection Supervisor, which may in turn open its own investigations that could lead to enforcement action.

A spokesman for the Irish Data Protection Authority (DPC) said it was aware of this matter and its importance to companies using the Microsoft product in question. Upon becoming aware, the DPC immediately contacted Microsoft to obtain further information on the processing of telemetry data. According to DPC, Microsoft provided detailed answers. It remains exciting to see what the outcome of this case will be.

This entry was posted in Office, Security and tagged , . Bookmark the permalink.

Leave a Reply

Your email address will not be published. Required fields are marked *