Data Protection Academy » Data Protection News » Microsoft Office 365 data protection under criticism
Microsoft Office 365 data protection under criticism
Microsoft is busily promoting the move to its cloud. Office 365 is replacing the classic, locally installed program package in many offices. Unfortunately, however, this cloud does not meet all European Data protection regulations and so the data collection in Office and Windows 10 ignited a lot of criticism. And officially: The Hessian data protection commissioner prohibited the use of Office 365 in Hessian schools in July 2019. He was particularly annoyed by the fact that "a wealth of telemetry data is transmitted to Microsoft" via Office 365 and that its content left questions unanswered.
Use of Office 365 in schools tolerated under certain conditions
After Microsoft had praised improvements in talks and had been able to dispel some of the concerns, the data protection officer declared in August that he would tolerate the use of Office 365 in schools in Hesse for the time being, subject to certain conditions and the reservation of further checks. This applies to the use of Office 365 in the version from 1904 (Office365 ProPlus, Office365 Online and Office365 Apps), if schools have already purchased these and trusted their legitimate use. However, they must temporarily stop the transmission of diagnostic data.
Data protection risks in Microsoft Office 365
A Dutch supervisory authority also criticised data protection risks. Between 23,000 and 25,000 events are transmitted to Microsoft for the Office applications. Not even Microsoft knows exactly what types of data are transmitted. The data collection frenzy of Office applications is therefore much higher than that under Windows 10. Administrators at the authorities were able to prove the transfer of file names, paths and mail meetings in logs. Other points of criticism include the use of Office data for Microsoft purposes and weaknesses in certificates. It is also not possible to delete data individually except by deleting the entire account.
Microsoft's privacy measures
Microsoft has taken some measures to respond to the criticism. New settings are to limit the transmission of telemetry data. The software giant is currently developing an analysis tool to better control the flow of data. However, Microsoft is not eliminating all the risks that have been warned. It has not yet given any assurance in this regard.
Do you have questions about data protection and would like to exchange ideas with experts? In the Robin Data Community you will find answers to your questions.
Data processing in companies and schools
If you want to be on the safe side, you could now stop all data processing with Microsoft Office. But this is probably not a realistic option for most companies; after all, the Office programs have been standard in business life for a long time. The situation is similar for schools. Instead, they need better government support for the Data protection. Currently, the state does not even provide its teachers with their own email address. The teachers communicate and send student data via their own provider, via USB stick or even with Whatsapp, which is the worst solution for data protection. They manage student data on their own computers, unencrypted hard drives and insecure passwords circulate. One may doubt whether the deletion management is operated correctly.
Tips for using Office 365 in practice
For the time being, companies and schools can continue to use the Office 365 applications after Microsoft has promised improvements in data protection. However, you should find out whether Microsoft is actually adhering to this and what the regulatory authorities are doing.
Opinion of the Hessian Data Protection Commissioner:
External Data Protection Officer
You are welcome to contact us as external data protection officer (DPO) order. We also offer individual consulting services as well as audits and will be happy to provide you with a non-binding offer. You can find more information about our external data protection officers on our website.
- Data protection officers report from the field - March 26, 2020
- Data protection and data security while working from home - March 26, 2020
- Use of social networks by public authorities - March 9, 2020