[German]The new Microsoft Outlook app is a data protection disaster and a GDPR no-go. Following the revelation that the app transfers access data for accounts and content to Microsoft's cloud, mail vendor Proton took a closer look at the app. The app is a tracker, and an absolute no-go, as the app transfers usage data to over 700 advertising partners. The new Outlook is a kind of a "monitoring and data collection tool for targeted advertising".
The proton analysis
The facts came to my attention a few hours ago via the following tweet. There was already a reader comment with a reference to the topic (thanks for that) within my German blog.
Proton, a provider of secure e-mail, has taken a closer look at the new Outlook app and published its findings in the blog post Outlook is Microsoft's new data collection service. In a nutshell:
- The new Outlook app is no longer an email client, but is mutating into a data collector and surveillance tool.
- European users who download the new Outlook app and use it without a Microsoft 365 subscription will see the pop-up shown in the tweet above, where they are asked to agree to the terms of use.
- In the dialog box, the user is informed that the new Outlook app will share the collected user data with 772 third-party providers who are allowed to evaluate and store this data.
In the dialog box, the user of the new Outlook app is asked to agree that Microsoft and 772 third parties may process data as reflected in the following text.
We and 772 third parties process data to: store and/or access Information on your device, develop and improve products, personalize ads and content, measure ads and content derive audience insights, obtain precise geolocation data, and identify users through device scanning. Some third parties may process your data on the basis of their legitimate interest. You may exercise your right to consent or object at any time by selecting the Manage preferences link below, or through Outlook settings. By clicking the Accept all button, you agree to the use of these technologies and the processing of your data for these purposes while using Outlook.
The user shall agree that all parties may store information on the device used and may also access this data again in order to:
- Develop and improve products,
- Personalize ads and content,
- measure ads and content to gain insights about the target audience
- obtain accurate geolocation data and
- identify users by scanning devices.
In short, the perfect transparent user, captured with the new Microsoft Outlook app. Where the ad blocker immediately kicks in for web surfers and people are happy about "automatic cookie rejections", the common Outlook app user is happy to jump into full surveillance with tracking right down to the last corner. More details can be found in the Proton blog post.
Microsoft has of course read the GDPR (General Data Protection Regulation) and says: "Some third parties may process your data on the basis of their legitimate interests." – I think this is an extremely fuzzy argument, because what legitimate interest should there be for a third party to scan a user's data and monitor their behavior via the new Outlook app?
Of course, in line with the GDPR, Microsoft allows users to withdraw their consent to tracking and data collection or to grant it on a granular basis. All in all, it can be said that Microsoft has become a data octopus (and not only) with the new Outlook app, and the offering is an absolute no-go in terms of the GDPR.
Background New Outlook app
Since September 2023, Microsoft has been providing the so-called "New Outlook app", which will initially replace the Mail and Contacts apps in Windows. I reported on this in July in the article Microsoft 365: First Windows Mail and Calendar users will be migrated to the new Outlook at the end of August 2023. Windows 11 will be delivered with the new Outlook app in future. In the medium term, however, Microsoft is also planning to replace the classic Outlook from Microsoft Office with the new Outlook app (I guess, it will 2026 be the case).
Since then, however, the new Outlook app has been making the headlines with absolutely negative headlines. My suspicion that the new Outlook app transfers the access data for email inboxes and calendars to Microsoft so that the data can be collected via the "Microsoft Cloud" and then transferred to the app was confirmed in 2023. I explained the facts in more detail in the article Beware: New Outlook app transfers access data to Microsoft, where I also pointed out that this practice has already been the case with the Microsoft apps for Android and iOS for years. At the time, the European Parliament's IT department had banned the Microsoft Outlook app for Android and iOS (based on the above facts).
At the time, everything was "dismissed", as Microsoft clarified this issue. However, various state data protection officers advised against using the app in light of this situation. This design is virtually impossible to make GDPR-compliant, as it is unclear where the data from mailboxes will end up.
Sure, the user can refuse this consent – but who of the many millions of users does that? And who will give the assurance that it will really stay that way – and that data will never suddenly be tapped and analyzed due to a programming error? A nightmare for every GDPR officer, in my opinion. You can only say "Hands off the new Outlook app". But Microsoft is currently trying to establish the new Outlook app more broadly in business environments (see my article New Outlook client: Extended test in January 2024 for enterprises). It's going to be fun.
Similar artilces
Microsoft 365: First Windows Mail and Calendar users will be migrated to the new Outlook at the end of August 2023
New Outlook client: Extended test in January 2024 for enterprises
Beware: New Outlook app transfers access data to Microsoft
New Outlook app: Microsoft's statement on transferred credentials and content
New Outlook for Windows 11: Adding of business accounts denied due to missing licensing