EU data protection legislation aims to give users more control over their personal data, and threatens companies with fines for collecting data without user consent and for data breaches. Countless companies have been struggling to become GDPR compliant, but it seems major tech players may not have taken it seriously. After Facebook and Google drew criticism for violating EU’s data protection law, it is now Microsoft’s turn to take the heat.
The tech giant is looking at a hefty fine after an investigation, commissioned by the Dutch government, found the company has violated the GDPR, which took effect this May, says an article by The Telegraph. The Dutch government is most concerned that affected users include government employees dealing with sensitive information daily. According to the report, over 300,000 government computers run Microsoft Office in the country -- computers that may have been affected by Microsoft’s data harvesting.
The investigation report from Privacy Company concludes Microsoft is responsible for the “large scale and covert collection” and storage of user personal information through Microsoft Office applications - Microsoft Office Pro Plus (Office 2016 MSI and Office 365 CTR) - without user consent.
Privacy Company carried out a Data Protection Impact Assessment (DPIA) on behalf of the Dutch Ministry of Security and Justice, and found that the Microsoft Enterprise Office version is used by a number of government agencies, including ministries, tax office and police. Microsoft illegally collected information about users’ online behavior v-a Word, Excel, PowerPoint and Outlook, and it harvested email headlines and pieces of content that had been translated and spellchecked through Microsoft’s tool.
“Microsoft collects information about events in Word, when you use the backspace key a number of times in a row, which probably means you do not know the correct spelling,” Privacy Company explains in a blog post. “But also the sentence before and after a word that you look up in the online spelling checker or translation service. Microsoft not only collects use data via the inbuilt telemetry client, but also records and stores the individual use of Connected Services. For example, if users access a Connected Service such as the translate service through the Office software, Microsoft can store the personal data about this usage in so called system-generated event logs.”
While other companies probably collect diagnostic info to improve experience or security, they are obliged to inform users about data collection practices and give them the opportunity to choose whether they accept or not. Microsoft kept quiet about its data collection strategy.
How long is the personal data stored for and where is it kept? This is another important issue tackled by the report, which found “the standard of protection of personal data in most countries in the world is lower than in the European Union.” It appears some of the content is stored in data centers in the EU to adhere to GDPR requirements, while other data “is transferred to and stored in locations in other places around the world,” including on servers in the US. By transferring information to US servers, Microsoft could expose EU users’ data to US law enforcement, without the individual’s consent to exploit their data.
Microsoft is working with authorities. Hoping to avoid a hefty fine, which right now seems to be right around the corner, the company is committed to addressing the problems pointed out in the report, giving users clear options to choose from and releasing an overall improvement plan.