On behalf of the Dutch Ministry of Justice and Security, Privacy Company conducted a repeat assessment of the privacy risks of the browser version of Microsoft Office 365, and the Office apps for iOS and android mobile phones. Privacy Company also assessed the privacy risks of Microsoft’s corporate Intune software, which allows system administrators, amongst others, to encrypt information on users' devices.
With the Ministry’s permission, we are publishing two blog posts about our findings. This blog is about the browser version, and the app version of Office 365. The second blog is about Intune.
For questions about the research, please contact SLM Rijk (StrategischLeveranciersmanagement Microsoft Rijk), which can be contacted via the Ministryof Justice’s press spokesperson, +31 (0)70 370 73 45.
Privacy terms Dutch government
In May 2019, SLM Microsoft Rijk concluded new privacy terms with Microsoft for the 300,000 digital workstations of the Dutch government. This concerns the Enterprise versions of the Office software that are used by the ministries, the Tax and Customs Administration, the police, the judiciary, and independent administrative bodies. According to these new privacy terms, Microsoft only acts as a data processor for all its online services, processes personal data for only three well defined and limited purposes, does not process the personal data for profiling, data analytics, market research or advertisements, and grants effective audit rights to the Dutch government.
Three DPIAs (Data Protection Impact Assessments) that Privacy Company conducted for the Dutch government in May and June 2019 showed that Microsoft had remedied the eight previously identified privacy risks for Office 365 ProPlus (the version of Office that you install on desktops, and laptops) through a combination of technical, organisational, and contractual measures. See the earlier blog about these risks.
However, the DPIA on Office for the Web and the mobile Office apps (published 23 July 2019) showed that Microsoft did not yet implement these measures for the browser and app versions of the software. Microsoft mistakenly believed that the new privacy terms negotiated by the State did not apply to all data processing via the mobile Office apps.
In January 2020, Microsoft implemented global improvements of its privacy terms for its online Enterprise and Business services. See the Online Service Terms with separate Data protection Addendum of April and January 2020 respectively. These improvements are inspired by the specific new privacy terms negotiated by the Dutch government. However, the improvements are explicitly not equal to these terms.
What is Office 365?
The Office 365 software can be used in three ways. The software can be installed on the computers and laptops of data subjects (Office 365 ProPlus), installed on smartphones, and tablets (mobile Office apps for iOS and Android), and as online applications that run in a browser (Office for the Web, formerly also called Office Online).
This DPIA concerns the last two versions of the software: Office for the Web and the mobile Office apps. The DPIA identifies the risks of diagnostic data processing via the five most commonly used applications expected: Word, PowerPoint, Outlook, Excel, and Teams in combination with the use of Connected Experiences such as the spell checker, use of the cloud storage services SharePoint Online, and OneDrive for Business connected to Office, the cloud identity service (Azure Active Directory), and the online mail server (Exchange Online).
Microsoft collects the diagnostic data in several ways, via system-generated event logs on its own servers, and via the so-called telemetry client in the mobile Office apps. Like the telemetry client in Windows 10, and Office 365 ProPlus, Microsoft programmed the mobile Office apps, and, more recently, Office for the Web to systematically collect telemetry data on the device, and send it to Microsoft's servers in the US on a regular basis. Microsoft also collects data from the browser via telemetry messages from Office for the Web. Microsoft did not do this in the earlier version of Office for the Web version that was assessed in the previous (public) DPIA.
This DPIA is about the risks for data subjects of the processing of diagnostic data, and not about the content data that users have processed by Microsoft, such as text, photos, and videos. The diagnostic data also differ from the functional data that Microsoft must (temporarily) process to enable data subjects to use Microsoft's online services via the Internet.
Result: six high privacy risks
The outcome of this DPIA is that there are six high, and three low data protection risks for data subjects. These high risks are due to the following seven circumstances:
Six high, and three low risks
The six high risks are:
The three low risks are:
Mitigating measures Microsoft
SLM Microsoft Rijk provided Microsoft with the DPIA findings upon completion of this DPIA. The discussions between SLM Microsoft Rijk and Microsoft resulted in a set of measures that, upon successful implementation by Microsoft, result in the mitigation of high risks identified in the DPIA, if government organisations follow the recommendations set out in the DPIA report.
In sum, Microsoft’s technical and organisational measures will mitigate all identified 6 high risks.
Recommended measures for government organisations
What can companies do that if they want to use the Enterprise version of Office 365?
Companies and organisations outside the Dutch government have to take into account high(er) privacy risks when using Office 365 ProPlus, Office for the Web, and the mobile Office apps. They should turn to Microsoft, preferably through an industry organisation, to negotiate similar privacy guarantees as the Dutch government. Irrespective of that, organisations could also conduct their own DPIA, based on the reports of the government, and submit the residual risks to the Data Protection Authority, as referred to in Article 36 of the GDPR.