Microsoft improves privacy terms for Office for all organisations

Microsoft will improve its privacy terms worldwide. From the beginning of next year, improved privacy terms will apply, which according to Microsoft are based, among other things, on the conditions that the Dutch government negotiated for its employees this spring.

The improvements will not only apply to the Enterprise version of Office 365, but also to the Business version for small and medium-sized enterprises. Julie Brill, the Corporate Vice President for Global Privacy and Regulatory Affairs and Chief Privacy Officer of Microsoft, wrote this in a blog. This announcement is good news for all organisations that are considering to  switch to Office 365, while the end of support for older Office versions is nearing. With the new conditions, they will hopefully be able to use Office 365 in a privacy-safe way.

Technical improvements

Research by Privacy Company for Strategic Supplier Management Microsoft Rijk, showed that Microsoft systematically collected a great deal of information about the individual use of the software (diagnostic data) through its Enterprise Office software, without users or system administrators being aware of it or being able to stop it. In the spring of 2019, Microsoft released a new Enterprise version of Office 365. In this new version, Microsoft has implemented important technical improvements, such as the ability to view the diagnostic data and to minimise the data collection.

Legal improvements

In early May 2019, SLM Microsoft Rijk and Microsoft reached agreement on fundamental improvements to the privacy terms. The main five legal improvements that the government has negotiated are:  

(1) Clarification of Microsoft's role as a data processor for all types of personal data, not only for the Content Data;

(2) Limitation of the data processing to three legitimate purposes;

(3) A ban on the use of the data for profiling, data analytics, market research or advertisements;

(4) Agreement on how data can truely be anonymized, and;  

(5) Effective audit rights for the Dutch central government.

Letter to Parliament

The Ministers of Justice & Security and of the Interior and Kingdom Relations (Home Affairs) have mentioned these improvements in a letter to Parliament (in Dutch only) and have concluded that there are no more objections for government institutions covered by this government contract to use the latest versions of Office 365 ProPlus, Windows 10 Enterprise and Azure. The research and improvements are also described in the four DPIA reports (in English) published by SLM Microsoft Rijk.

Veiled language

Microsoft is implementing the improvements in its Online Service Terms (OST). Organisations that will be using Office 365 for the first time in 2020 will automatically receive the new terms, but most organisations already have an agreement with Microsoft. They need to negotiate an amendment on their existing contract. It is important for all organisations to read carefully what improvements Microsoft is offering and whether they mitigate all the identified data protection risks. Microsoft excels in the use of veiled language. According to the blog, the changes to the OST are the result of 'additional feedback' from customers and Microsoft offers 'more transparency' in the new conditions. In fact, the change of the OST involves a fundamental change in the way Microsoft processes personal data. About this processing, the ministers wrote in their letter to Parliament that the collection, storage and use of the diagnostic data was not in accordance with the General Data Protection Regulation (GDPR). Microsoft also writes in its blog: "The only substantive differences in the updated terms relate to customer-specific changes requested by the Dutch MOJ, which had to be adapted for the broader global customer base."

Paul van den Berg, deputy Strategic Supplier Manager for Microsoft Rijk, says: "We are very satisfied with what we have achieved, but organisations that are not covered by the government contract still have to do some work themselves. We will continue to use our own terms and conditions for the time being, together with the Association of Dutch Municipalities and SURF, until we have compared those terms and conditions with the adjusted OST and we can be sure that all the identified risks have been and will continue to be remedied.

What happens next?

The most important question for all organisations that use Microsoft products is whether Microsoft will also implement the improvements for Windows 10 Enterprise, and for the mobile Office apps. That software is still outside of the OST. In April 2019, the EDPS, the supervisor of the compliance of the European institutions with privacy legislation, referred to the Dutch DPIAs and announced an investigation into the privacy conditions of Microsoft and other large software suppliers. The EDPS and SLM Microsoft Rijk have now joined forces in The Hague Forum for Cloud Contracting, to negotiate better conditions with all major cloud providers together with all European government buyers.

The EDPS recently invited Microsoft in a press release to implement the improvements also in the consumer versions of its software. This is a great opportunity for Microsoft to also bring its consumer products in line with its privacy vision.

Published on
11/21/2019
by
Sjoera
DPIA; Microsoft Office; SLM Rijk; privacy impact assessment