The assessment was carried out by an organisation known as Privacy Company and examined the data collection on 300,000 computers used by the national government. The software examined was Microsoft Office 2016 and Office 365.
The procurement of software is looked after by the government's Microsoft Strategic Vendor Management office known as SLM Rijk, but individual organisations buy licences and decide on the settings and scope of processing by Microsoft in the US.
Privacy Company's Sjoera Nas said in a blog post that the company had agreed to make a number of changes to lower data protection risks.
"Microsoft does not offer any choice with regard to the amount of data, or possibility to switch off the collection, or ability to see what data are collected, because the data stream is encoded," Nas wrote.
A total of 23,000 to 25,000 types of events are sent to Microsoft's servers and this data is much more specific than the telemetry data slurped up by Windows 10. An earlier study in 2017 looked at the telemetry data collected by Windows 10 and found that data about 1000 to 1200 events was collected.
After mitigation of some risks were agreed on by Microsoft, the assessment found that there were six remaining high risks:
- The unlawful storage of sensitive/classified/special categories of data, both in metadata and in, for example, subject lines of e-mails;
- The incorrect qualification of Microsoft as a data processor, instead of as joint controller as defined in article 26 of the GDPR;
- Insufficient control over sub-processors and factual data processing;
- The lack of purpose limitation, both for the processing of historically collected diagnostic data and the possibility to dynamically add new types of events;
- The transfer of (all kinds of) diagnostic data outside of the European Economic Area, while the current legal ground for Office ProPlus is the Privacy Shield and the validity of this agreement is subject of a procedure at the European Court of Justice; and
- The indefinite retention period of diagnostic data and the lack of a tool to delete historical diagnostical data.
While Nas offered some steps to reduce the privacy risks, she noted that it was not possible to solve all issues and "with regard to the contracts and transfer of personal data to the US, a European solution must be sought".