Microsoft Office GDPR Breach

Microsoft are currently under investigation from a group of Dutch investigators following claims Microsoft Office is in breach of the European Union General Data Protection Regulations in relation to the data the software has been gathering including the content of private emails.

The group of investigators reviewing the suspected breach in the Netherlands have revealed that during their investigation of Microsoft Office they uncovered large scale collection of personal data. It is believed that Microsoft had not informed users that this collection was occurring and had not received official permission.

Following these claims, a spokesperson from Microsoft said “We are committed to our customers’ privacy, putting them in control of their data and ensuring that Office ProPlus and other Microsoft products and services comply with GDPR and other applicable laws. We appreciate the opportunity to discuss our diagnostic data handling practices in Office ProPlus with the Dutch Ministry of Justice and look forward to a successful resolution of any concerns.”

Microsoft are now claiming that the data was collected solely for functional and security purposes. Despite this, results from the investigation showed that Microsoft does collect data including email subject lines and some content. Microsoft moved its data collection back to Europe earlier this year in order to comply with the General Data Protection Regulation. Before this they exported their data from the EU to data centres in the US to hold their data.

In a report from the Ministry of Justice, he stated: “Data provided by and about users was being gathered through Windows 10 Enterprise and Microsoft Office and stored in a database in the US in a way that posed major risks to users’ privacy.”

It was revealed in the press release that Microsoft had agreed in October to undertake an improvement plan for the services it offers, stating “Microsoft has committed to submitting these changes for verification in April 2019”. The computing giant has been given some space in order to address the issues in the processing of data. If they fail to do this, they may be subjected to massive fines. Since GDPR legislation was implemented in May of this year, companies can be fined €20m of 4% of annual global revenue if they are found to be gathering unnecessary user data or for data breaches.

Currently privacy advocates across the European Union have been submitting complaints to the relevant local data protection authorities in relation to data management and processing at Facebook, Google and a number of other Internet and social media related-companies.

About Thomas Brown
Thomas Brown worked as a reporter for several years on ComplianceHome. Thomas a seasoned journalist with several years experience in the healthcare sector and has contributed to healthcare and information technology news publishers. Thomas has a particular interest in the application of healthcare information technology to better serve the interest of patients, including areas should has data protection and innovations such as telehealth.