Users warned of Microsoft data harvesting

null

Microsoft could soon face sanctions over its data collection methods after Dutch investigators discovered that the way the software giant collects data poses a risk to user privacy.

According to a report commissioned by the Dutch government, both Microsoft Office and Windows 10 use a telemetry data collection mechanism that is in breach of GDPR.

The findings of the report highlighted eight high-risk data protection risks with ProPlus subscriptions of Office 2016 and Office 365 including unlawful storage of sensitive types of data and metadata as well as keeping data beyond the required time period.

The investigators also discovered that the company categorized itself as a data processor when it should have been a joint-controller.

Collecting data without cause

Microsoft methodically collected data about how individuals use Word, Excel and PowerPoint without first informing users. The company also did not give them the option to opt out of having their data collected.

Alarms were raised when the Dutch investigators discovered that there was no documentation on the type of personal data Microsoft processed or why it was collecting the data in the first place. The fact that the company also routinely sent data to the US also raised serious concerns.

Dutch officials were particularly concerned that sensitive government data may have been collected and then sent to US servers that are subject to seizure or query by US law enforcement.

Microsoft and the Dutch government have since reached an agreement which the country's officials outlined in a statement, saying:

"On 26 October 2018 agreement was reached on an improvement plan in which Microsoft undertook to adapt its products for use by the Dutch government in compliance with the GDPR and other applicable legislation. Microsoft has agreed to report regularly on its progress. If progress is deemed insufficient or if the improvements offered are unsatisfactory, SLM Microsoft Rijk will reconsider its position and may ask the Data Protection Authority to carry out a prior consultation and to impose enforcement measures."