Commissioned by the Dutch Ministry of Justice and Security and SURF, the ICT procurement organisation for universities, Privacy Company conducted a new investigation into the privacy risks of Microsoft Teams, OneDrive and SharePoint. The outcome is that Microsoft has taken measures to remedy the six high risks, but organisations should not use these cloud services to exchange or store sensitive and special categories of personal data. They may only do so if they can encrypt the content with encryption keys under their own control. This measure is necessary because of the high risk of possible access to those data from the United States. This risk remains even after 2022, when Microsoft will process almost all personal data of its European Enterprise and Education customers exclusively in European data centres.
We publish this blog with permission from the Ministry and SURF. You can read the complete DPIA (in English) here. For questions about the DPIA, please contact SLM Rijk (Strategic Supplier Management Microsoft, Google and AWS Rijk), which can be contacted via the Ministry of Justice press office, 00 31 70 370 73 45.
Microsoft Teams allows people to make videocalls and share information in permanent chat channels, with people inside and outside their organisation. The OneDrive and SharePoint services are used for storing and sharing files in the Microsoft cloud. Teams, OneDrive and SharePoint are cloud services. The DPIA does not address local use of OneDrive and SharePoint, on premises.
To use the online services, users can install software on their own devices or log in via a browser. This DPIA examines the data traffic from the three services from installed applications on the operating systems MacOS, Windows, iOS, and Android, and through a Chrome browser. To log in, the Microsoft Azure Active Directory was used (a kind of online phone book, containing the login names and passwords of all users).
The new DPIA is mainly about the risks of collecting and processing so-called Diagnostic Data, that is, data about the individual use of the services. For example: how often you call who via Teams, what kind of pictures you add in the chat or on an intranet page, and what kind of documents you write, read and share. Additionally, the report addresses the privacy risks of using Microsoft's cloud for the Content Data you can share through these services.
Microsoft collects Diagnostic Data in several technical ways, through system-generated server logs on its own cloud servers and through the so-called telemetry client built into the Teams, OneDrive and SharePoint software. That client is programmed to systematically collect telemetry data on the end user's device (or, from the browser in Office for the Web) and send it periodically to Microsoft's servers in the US. The Diagnostic Data is different from, and technically distinguishable from, the functional data that Microsoft must process (temporarily) to enable users to use Microsoft's online services over the Internet.
SLM Rijk concluded new privacy terms with Microsoft in early May 2019 for the 300,000 digital workstations of the central government. In late 2019, SURF concluded the same terms for the Dutch universities. The new terms apply to the Enterprise and Education versions of the Office software in use by the ministries, the tax authorities, the police, the judiciary and affiliated independent administrative bodies. Since, Microsoft has been acting only as a data processor for all of its online services. Microsoft may only process the personal data for three purposes, and is prohibited from processing any personal data for profiling, data analytics, market research or advertising. Microsoft has provided effective audit rights to the Dutch government. Privacy Company has performed repeat inspections since 2019 to verify that Microsoft was living up to its commitments, and had taken the promised improvement measures.
The result of this DPIA, after repeated consultations with Microsoft, is that there are no more known high risks resulting from the processing of the diagnostic data, if the system administrators of the organisations follow the previous recommendations about using Office 365. However, there is a high risk if organisations use Teams to exchange highly sensitive and special categories of data, due to potential access by law enforcement and security agencies in the US. The six low risks are:
Microsoft is a U.S. company, and according to the European Court of Justice (Schrems-II), U.S. national security laws do not provide sufficient legal protection for Europeans if their personal data are intercepted or when disclosure is ordered. This risk occurs even when these data are processed and stored exclusively in the EU, as access to these data can be compelled through US legislation such as the US CLOUD Act. The fact that Microsoft applies encryption to all customer data in transit over the Internet, and to stored files, cannot eliminate this risk either. As long as Microsoft has access to the key, although it seems mostly theoretical, it can be compelled to decrypt and disclose the data.
The most important mitigation measure for organisations in Europe against this risk of mass surveillance is to encrypt the data with a key under their own control, which even a vendor like Microsoft does not have access to. Microsoft does offer end-to-end encryption (E2EE) for storage of commonly used file formats in OneDrive and SharePoint, but not yet for calls in Teams with more than two people, only for unscheduled one-to-one calls.
Thus, organisations should not exchange sensitive or special categories of personal data through Teams unless the data is inherently public (such as public lectures or some court cases) because they have no control over the encryption keys. To protect sensitive and special categories of personal data in OneDrive and SharePoint, organisations can use Microsoft's Double Key Encryption (DKE). Privacy Company has written a public report on DKE (in Dutch only) at the request of the NBV of the AIVD.
Since June 2019, as a result of its negotiations with SLM Rijk and SURF, Microsoft has taken many legal, technical, and organisational measures to mitigate the risks for data subjects due to processing of personal data through the use of Teams, OneDrive, SharePoint, and the Azure AD. In response to the initial findings of this DPIA, Microsoft has committed to mitigate a number of shortcomings., and has provided significant assurances about its data processing.
Given the risks of using U.S. cloud providers, Microsoft must make more adjustments and improvements to mitigate the remaining high risk and the six identified low risks. Microsoft must disclose when it will enable E2EE for all Teams exchanges. In addition, Microsoft must become more transparent about the content of Required Service Data and organise an audit on its compliance with the agreed purpose limitation and retention periods for that personal data. Finally, Microsoft must comply with the requirement that default settings be privacy friendly (data protection by default). That means Microsoft must allow system administrators to actively turn on new analytics services, based on clear information.
It is uncertain how national data protection authorities will assess the transfer risks in their joint investigation into the use of cloud services by public sector organisations. The results are expected by the end of 2022. For this DPIA the transfer risks have been rigorously assessed, including a separate DTIA. If necessary, the DPIA and DTIA will be updated in 2023.
If the EDPB were to assess the transfer risks as high, even after Microsoft completes its EU Data Boundary, organisations in the Netherlands will effectively no longer be able to use services from US providers, and the consequences will be much greater than just using these Microsoft services.
Read our previous blogs about DPIAs on Microsoft Office: