Large Data Breach Leads to Microsoft GDPR Investigation

Dutch investigators have initiated an investigation following claims that Microsoft Office is in breach of the European Union General Data Protection Regulations regarding to the private information the software has been collating including the content of private emails.

Those looking in to the suspected breach in the Netherlands have discovered, during their investigation of Microsoft Office, large scale collection of personal private data. It is believed that users had not been told that this was happening and had not provided official permission.

A Microsoft representative stated: “We are committed to our customers’ privacy, putting them in control of their data and ensuring that Office ProPlus and other Microsoft products and services comply with GDPR and other applicable laws. We appreciate the opportunity to discuss our diagnostic data handling practices in Office ProPlus with the Dutch Ministry of Justice and look forward to a successful resolution of any concerns.”

The computing g multinational says that the data was collected solely for functional and security reasons. However, the previously mentioned investigation showed that that Microsoft does collect data including email subject lines and snippets of content. Earlier in 2018 Microsoft moved its data collection back to Europe in an attempt to adhere with the General Data Protection Regulation. Previously they would export this data from the EU to data centres in the US.

Privacy Company, a third party consultancy that carried out the audit claimed that Microsoft engaged in ‘large scale and secret processing of data’ pertaining to clients.

The report that the Ministry of Justice published said: “Data provided by and about users was being gathered through Windows 10 Enterprise and Microsoft Office and stored in a database in the US in a way that posed major risks to users’ privacy.”

Microsoft, as was stated in the press release, had agreed in October to undertake an improvement plan for its security measures. It stated: “Microsoft has committed to submitting these changes for verification in April 2019”. The company has been given some space to address the issues in the processing of data or it may be subjected to large fines. As per GDPR legislation, introduced last May, companies can be hit with penalties fined €20m of 4% of annual global revenue if they are discovered to be gathering unnecessary user data or for data breaches.

This comes as privacy campaigners across the European Union have been registering complaints to the relevant local data protection authorities in relation to data management and processing at Facebook, Google and a number of other Internet and social media companies.