Monday, 19 November 2018 09:23

Dutch assessment finds Microsoft in violation of GDPR

By
Dutch assessment finds Microsoft in violation of GDPR Pixabay

The Netherlands has found Microsoft in violation of the European Union General Data Protection Regulation on many fronts, with a general data protection impact assessment finding that the company collects and stores personal data on a large scale without any public documentation about the same.

The assessment was carried out by an organisation known as Privacy Company and examined the data collection on 300,000 computers used by the national government. The software examined was Microsoft Office 2016 and Office 365.

The procurement of software is looked after by the government's Microsoft Strategic Vendor Management office known as SLM Rijk, but individual organisations buy licences and decide on the settings and scope of processing by Microsoft in the US.

Privacy Company's Sjoera Nas said in a blog post that the company had agreed to make a number of changes to lower data protection risks.

The assessment found that Microsoft covertly collects huge amounts of data on the use of Word, Excel, PowerPoint and Outlook by individual users.

"Microsoft does not offer any choice with regard to the amount of data, or possibility to switch off the collection, or ability to see what data are collected, because the data stream is encoded," Nas wrote.

A total of 23,000 to 25,000 types of events are sent to Microsoft's servers and this data is much more specific than the telemetry data slurped up by Windows 10. An earlier study in 2017 looked at the telemetry data collected by Windows 10 and found that data about 1000 to 1200 events was collected.

After mitigation of some risks were agreed on by Microsoft, the assessment found that there were six remaining high risks:

  • The unlawful storage of sensitive/classified/special categories of data, both in metadata and in, for example, subject lines of e-mails;
  • The incorrect qualification of Microsoft as a data processor, instead of as joint controller as defined in article 26 of the GDPR;
  • Insufficient control over sub-processors and factual data processing;
  • The lack of purpose limitation, both for the processing of historically collected diagnostic data and the possibility to dynamically add new types of events;
  • The transfer of (all kinds of) diagnostic data outside of the European Economic Area, while the current legal ground for Office ProPlus is the Privacy Shield and the validity of this agreement is subject of a procedure at the European Court of Justice; and
  • The indefinite retention period of diagnostic data and the lack of a tool to delete historical diagnostical data.

While Nas offered some steps to reduce the privacy risks, she noted that it was not possible to solve all issues and "with regard to the contracts and transfer of personal data to the US, a European solution must be sought".


BACK TO HOME PAGE

NEW OFFER - ITWIRE LAUNCHES PROMOTIONAL NEWS & CONTENT

Recently iTWire remodelled and relaunched how we approach "Sponsored Content" and this is now referred to as "Promotional News and Content”.

This repositioning of our promotional stories has come about due to customer focus groups and their feedback from PR firms, bloggers and advertising firms.

Your Promotional story will be prominently displayed on the Home Page.

We will also provide you with a second post that will be displayed on every page on the right hand side for at least 6 weeks and also it will appear for 4 weeks in the newsletter every day that goes to 75,000 readers twice daily.

POST YOUR NEWS ON ITWIRE NOW!

INVITE DENODO EXECUTIVE VIRTUAL ROUNDTABLE 9/7/20 1:30 PM AEST

CLOUD ADOPTION AND CHALLENGES

Denodo, the leader in data virtualisation, has announced a debate-style three-part Experts Roundtable Series, with the first event to be hosted in the APAC region.

The round table will feature high-level executives and thought leaders from some of the region’s most influential organisations.

They will debate the latest trends in cloud adoption and technologies altering the data management industry.

The debate will centre on the recently-published Denodo 2020 Global Cloud Survey.

To discover more and register for the event, please click the button below.

REGISTER HERE!

BACK TO HOME PAGE
Sam Varghese

website statistics

Sam Varghese has been writing for iTWire since 2006, a year after the site came into existence. For nearly a decade thereafter, he wrote mostly about free and open source software, based on his own use of this genre of software. Since May 2016, he has been writing across many areas of technology. He has been a journalist for nearly 40 years in India (Indian Express and Deccan Herald), the UAE (Khaleej Times) and Australia (Daily Commercial News (now defunct) and The Age). His personal blog is titled Irregular Expression.

BACK TO HOME PAGE

Webinars & Events

VENDOR NEWS

REVIEWS

Comments