Microsoft plans to update its Office Pro Plus products by the end of April to address a number of privacy concerns raised in an audit commissioned by the Dutch Ministry of Justice that has marked what the auditors have called "high risks" for the privacy of government users.
The update for many of Microsoft's Office Pro Plus customers, which has been confirmed by Microsoft, will address concerns about a package of popular Microsoft programs, which were sending diagnostic data from Europe to the United without adequate documentation and user controls on what was sent.
Microsoft and the Dutch Ministry of Justice have agreed the changes as part of an "improvement plan" with an April deadline. A ministry spokesman told POLITICO that if Microsoft's responses had proved "unsatisfactory", the ministry could raise concerns with European data protection authorities for further actions that could include "enforcement measures".
In a statement, Microsoft's primary legal and privacy counsel, Julie Brill, pointed out that the Dutch ministry had commissioned the audit as a customer of Microsoft and had not tried to take legal action against the company.
"The ministry has commissioned the report as a client to clarify how our services are managed and we are working with the ministry staff to share more information and help solve their questions as we would for all corporate clients," said Brill. .
He added that the issues raised in the report, conducted by the privacy firm, a Hague consulting firm, relate to "diagnostic data in a single product", Office Pro Plus, and that the company was "confident that this is consistent with the Dutch law and GDPR, "The Privacy Act of the General Data Protection Regulation in Europe. Office Pro Plus includes a range of Microsoft programs.
"We feel good about what we are doing to offer customers transparency and choice on the diagnostic data they share with us, but we always want to do more," Brill said. "In the coming weeks we will take further steps to make it easier for customers to understand what data needs to be sent to Microsoft to run our services and why and where data sharing is optional."
When Microsoft updates the products, the update usually takes place worldwide for users of the product and the company has not given any indication that it would have been different in this case.
According to the data protection laws of the EU, the Irish Data Protection Commission is the "primary supervisory authority" charged with ensuring that Microsoft complies with the rules. If the Netherlands decided to intensify their concerns, they could make a request to the competent authorities of the Irish regulator. In the meantime, any problem would be closely monitored by the European Data Protection Board, which brings together all EU data controllers, and the European Data Protection Supervisor, who in turn can initiate investigations that could lead to a contrast action.
A spokesman for the Irish Data Protection Commission said he was "aware of this issue and its significance for companies using the Microsoft product in question." As they became aware, the DPC immediately engaged with Microsoft looking for more information about 39; processing of telemetry data, in response to which Microsoft provides detailed answers. "
The Privacy Company, a consulting firm that the ministry has tasked to carry out the audit, stated in a summary blog of the results that "Microsoft systematically collects large-scale data on the individual use of Word, Excel, PowerPoint and Outlook ".
He added: "In secret, without informing people … Microsoft does not offer any choice about the amount of data or the possibility of deactivating the collection or the possibility of seeing what data is collected, since the data flow is encrypted. "One of the Dutch's main concerns was that the company was sending data to its servers in the United States
Microsoft does not agree with some of the statements in the privacy report, but is making changes to its products as it usually does to satisfy customers. The company has previously communicated to customers the use of diagnostic data.
The new focus on privacy comes from the fact that several components of Microsoft, one of the world's most valuable companies, have recently faced the scrutiny of a series of privacy concerns, particularly LinkedIn, which Microsoft bought at the end of 2016 for $ 26 billion.
Nicole Leverich, a spokesperson for LinkedIn, said that "member data is never shared with customers at an individually identifiable level, only in aggregate for ad sales." Last November, the Irish Data Protection Commission found that LinkedIn used e-mail addresses of about 18 million non-LinkedIn members to target people with Facebook ads all in an effort to grow its base of customers.
Regulators noted that LinkedIn's actions violated its protection standards, although the dispute was resolved amicably.
Leverich said the company "fully cooperated with the 2017 DPC inquiry into a complaint about a European advertising campaign and found that the global processes and procedures in place were not followed. we have made internal changes to help protect against this inconvenience. "In Brazil last year, federal prosecutors said that Microsoft had violated local laws by collecting data from Windows 10 users without obtaining consent. In 2016, France ordered Microsoft to reduce the collection of user data and to block the tracking of web browsing habits of Windows 10 users without obtaining permission.
Despite these privacy dumps, Brill has promoted the recent steps Microsoft has taken to improve user privacy, including "new features in the Windows installation process, advanced options for reporting error data to Xbox, a feature called Lockbox. for Azure and updates to our Privacy Dashboard with new tools for parents to manage their child's settings, "he said.
Holy or sinner?
Microsoft has been the subject of a series of complaints to the Irish Data Protection Commission, according to a Commission spokesperson, but none has been serious enough to justify a statutory investigation, and of the 16 open investigations on multinational technology companies, none is related to Microsoft. There were 3,500 complaints for the commission in total.
Unlike other technology companies, such as Facebook, which have drawn attention to privacy issues and problems of spreading false news, Microsoft has established itself as an example of good behavior, welcoming with enthusiasm the attention # 39; company and on the broader technology industry. Company leadership regularly highlights its proactive privacy investments. Last year, the US Supreme Court listened to arguments after Microsoft challenged a US search warrant for an email client that resided on Microsoft's servers in Ireland, and last May the company announced that it was extending the privacy rights that lie at the heart of the GDPR for its customer base all over the world.
"Having the scrutiny is really positive, I think," CEO Satya Nadella told the Washington Post last October. He urged the technology sector to improve its behavior. "Anyone who offers a very critical service must raise the security standards of that technology and the security of that technology."
The huge problems that afflict Facebook have also affected other companies, including Microsoft. The New York Times reported in December that Facebook gave Bing, the Microsoft search engine, the ability to view the names of almost all Facebook users' friends without authorization and also had data sharing agreements with companies like Netflix, Spotify, Amazon and Yahoo.
"Bing did not maintain Facebook-based profiles for advertising or customization purposes and we took significant engineering steps beyond those required by Facebook to ensure that this could not happen," said Brill.
"We have concluded our contract with Facebook in February 2016 and the data stopped appearing in the search results."