Dutch investigators are conducting an investigation following claims that Microsoft Office is in breach of the European Union General Data Protection Regulations in relation to the data the software has been gathering including the content of private emails.
Those reviewing the suspected breach in the Netherlands have revealed, during their investigation of Microsoft Office, that they uncovered large scale collection of personal data. It is thought that users had not been informed that this was occurring and had not provided official permission.
A Microsoft spokesman said: “We are committed to our customers’ privacy, putting them in control of their data and ensuring that Office ProPlus and other Microsoft products and services comply with GDPR and other applicable laws. We appreciate the opportunity to discuss our diagnostic data handling practices in Office ProPlus with the Dutch Ministry of Justice and look forward to a successful resolution of any concerns.”
The computing giant maintains that the data was collected solely for functional and security purposes. However, the aforementioned investigation uncovered that Microsoft does collect data including email subject lines and snippets of content. Earlier this year Microsoft moved its data collection back to Europe in an effort to comply with the General Data Protection Regulation. Previously their process for accomplishing this was to export this data from the EU to data centres in the US.
The external consultancy that carried out the audit, Privacy Company, claimed that Microsoft engaged in ‘large scale and secret processing of data’ pertaining to clients.
The report from the Ministry of Justice said: “Data provided by and about users was being gathered through Windows 10 Enterprise and Microsoft Office and stored in a database in the US in a way that posed major risks to users’ privacy.”
Microsoft, it was revealed in the press release, had agreed in October to undertake an improvement plan for its services. It said: “Microsoft has committed to submitting these changes for verification in April 2019”. The company has been granted some space to address the issues in the processing of data or it may be subjected to massive fines. Under GDPR legislation, introduced last May, companies can be fined €20m of 4% of annual global revenue if they are found to be gathering unnecessary user data or for data breaches.
This comes as privacy advocates across the European Union have been submitting complaints to the relevant local data protection authorities in relation to data management and processing at Facebook, Google and a number of other Internet and social media related-companies.