Skip Navigation LinksArtikelAnzeige

Microsoft and GDPR compliance

Results of a Dutch Data Protection Impact Assessment (DPIA)

Paul van den Berg ist Leiter der niederländischen Beschäfftsungsbehörde SLM Microsoft Rijk

by Paul van den Berg, Strategic Procurement Manager at the Dutch Ministry of Justice and Security ("Microsoft Rijk")


Strategic dependency and Vendor Lock-in

Microsoft products have been omnipresent on the desktop for the best part of three decades. The products are generally of good quality and the users in our organisations mostly enjoy working with them.  Competition is scarce, and a vendor lock-in has transpired. The vendor lock-in ensures that there is an even deeper dependency once you choose the Microsoft Office 365 or Azure cloud services. As a result, an organisation must continue to meet the requirements and conditions set by Microsoft.

There are few alternatives available for specific Microsoft products with the same functionality. Where there is a choice, there are significant economic consequences as the Microsoft products suites will include similar features as the competitor and organisations are often forced to pay twice, one time for the functionality included in the Microsoft product Suite and onetime for the best-of-breed competitor. Also, a migration will take a few years and technical integration between vendors is discouraged as it is complex and difficult to maintain. Given the expected costs and the time needed to switch, this is a situation of strategic dependence on the vendor.

Due to the vendor lock-in and the time needed to find a replacement alternative, a situational monopoly is also fact. Microsoft can, for example, continually increase prices, which the client is forced to pay. Microsoft can also push the client to purchase more and more functionalities (with price increases as a consequence if that does not happen) raising barriers to market entry for competitors or innovative European start-ups even further.

From a Strategic Vendor Management perspective, it is extremely difficult to influence a situational monopolist like Microsoft to modify the way services are offered to meet national rules and regulation and to maintain data sovereignty while at the same time public sector organisations are considering to upgrade their IT infrastructure to include or even fully migrate to public cloud services.

As a public cloud service, software, for instance, Office 365, is offered as a Cloud service. The software runs mainly at Microsoft datacentres around the world, and there are automatic updates with high frequency.  There is also much telemetry, which means that, as explained in our Data Protection Impact Assessment (DPIA), personal data, including information about the device used and software usage, are collected and transmitted internationally. At least once a day there is a connection with Microsoft Identity and Access Management service whereby the user must obtain authorisation from Microsoft to be able to work with the service that day. Also, the full use of public cloud services ensures that the data and files produced by the government employees are stored with the service provider, giving Microsoft and it's subcontractors potential access to these files.


Data collection

Microsoft collects personal data. As soon as a PC is started up, Microsoft collects, amongst others, information about who uses the PC, who is sharing what, sometimes the location of the user, which software is used and thousands of other bits of information. This way a profile of a user can be drawn up. These profiles can be combined with private accounts of employees by linking data, for example when they have logged in via LinkedIn on their work computer. Behavioural profile data, also known as psychometric data, can be combined into psychographic data sets which can then be used to manipulate public opinion by sending customised messages to users. These tactics were for instance used to influence the Brexit referendum and US presidential elections. While these incidents have been attributed to Facebook and Cambridge Analytical and not Microsoft we always have to be vigilant that the purpose of any personal data shared between parties is limited to the absolute minimum required to facilitate a process.  Textfeld: The European Parliament is also concerned about these developments and has organised hearings to assess the potential impact of the use of profiles and social media on the democratic process. The speech of Professor of Ethics at Delft University Jeroen Van den Hoven to the EU parliament is of particular interest in this context.

Technically, Microsoft Corporation collects diagnostic data in different ways, via system-generated event logs and the Office telemetry client. Similar to the telemetry client in Windows 10, Microsoft has programmed the Office software to collect telemetry data on the device, and regularly send these to a massive database in the United States known as Cosmos. Microsoft has confirmed that it collects Office telemetry data on a much larger scale (up to 25.000 event types, compared to the max 1.200 event types in Windows 10 telemetry). After an investigation by several European Data Protections Authorities in 2016 and 2017, Microsoft has published extensive documentation about the Windows 10 telemetry data. Microsoft has also made a data viewer tool available within Windows 10 that allows users to see the telemetry data Microsoft collects.

 Textfeld: Strategic Vendor Management Several large IT suppliers, including Microsoft, Oracle and SAP, have a single point of contact within the Dutch central government. The point of contact for Microsoft is Strategic Vendor Management Microsoft Dutch Government (SLM Microsoft Rijk), which is based at the Ministry of Justice and Security and falls under the responsibility of the Deputy Secretary-General. For the avoidance of doubt, SLM Microsoft Rijk is not an oversight or supervisory body. We are primarily a procurement organisation.

Central DPIA

In GDPR terms, SLM Microsoft Rijk is not responsible for the processing of diagnostic data through the use of the Office or Windows software. However, as the central negotiator with Microsoft, it has a moral responsibility to assess the data protection risks for the employees and negotiate for a framework contract that complies with the GDPR. Therefore, SLM Microsoft Rijk has commissioned a Data Protection Impact Assessment (DPIA) to assist governmental organisations with selecting a privacy-compliant deployment and conducting their DPIAs where necessary. After all, only the organisations themselves can assess the specific data protection risks, based on their particular implementation, the level of confidentiality of their work and the types of personal data they process.


DPIA findings

The DPIA revealed that data provided by and about users was being gathered through Windows 10 Enterprise and Microsoft Office and stored in a database in the US in a way that can pose a high risk to users' privacy. A total of eight high risks were found in the DPIA that could lead to an incompliant situation if not addressed with mitigating measures.

These risks are:

1. No overview of the specific risks for individual organisations due to the lack of transparency (no data viewer tool, no public documentation)

2. No possibility to influence or end the collection of diagnostic data (no settings for telemetry levels)

3. The unlawful storage of sensitive/classified/special categories of data, both in metadata and in content, such as subject lines of emails

4. The incorrect qualification of Microsoft as a data processor, instead of a joint controller as defined in article 26 of the GDPR

5. Not enough control over sub-processors and factual processing

6. The lack of purpose limitation both for the processing of historically collected diagnostic data and the possibility to dynamically add new events

7. The transfer of (all kinds of) diagnostic data outside of the EEA, while the current legal ground is the Privacy Shield and the validity of this agreement is subject of a procedure at the European Court of Justice

8. The indefinite retention period of diagnostic data and the lack of a tool to delete historical diagnostical data


Improvement plan

On the basis of these findings, SLM Microsoft Rijk entered into discussions with Microsoft. On 26 October 2018 agreement was reached on an improvement plan in which Microsoft undertook to adapt its products for use by the Dutch government in compliance with the GDPR and other applicable legislation. The changes include making necessary adjustments to lower the risks. Microsoft also intends to provide adequate information, including a data viewer tool for the telemetry data from Office and offer the option for administrators to determine the desired level of telemetry.

Microsoft has committed to submitting these changes for verification in April 2019. SLM Microsoft Rijk will then assess the new versions of the products. Additionally, we plan to publish DPIA's on Windows 10, Office 365, Azure and Microsoft Dynamics and keep them up to date once a year.


Interim measures

In the meantime, central government organisations will need to take additional measures to block dataflows to Microsoft as much as possible. These measures, while cumbersome, will allow Microsoft product usage while still complying with the GDPR. Microsoft has provided instructions on how to limit the data flows in a document available on request from the support organisation.


In closing

A point of concern is that Microsoft has stated that the product improvements discussed in this article are only committed to enterprise products. The GDPR fixes are not available to organisations with less than 500 employees and consumers for the time being.  While we, at SLM Microsoft Rijk, believe that this concern needs addressing urgently, it falls outside our mandate to act in this case. The national or maybe the independent EU Data Protection Authorities have to act in this case.

SLM Microsoft Rijk believes that the only way to manage large tech giants like Microsoft, Google or Amazon is through European cooperation. We, therefore, welcome the possibility to work in a European context through organisations like Euritas. However, even then, the choice to accept a vendor lock-in at a national scale is one that should be reviewed through leadership on an on-going basis. As Strategic Vendor Management professionals we are only tasked with negotiating the best possible deal from a legal and commercial perspective once the choices have been made!


Additional Reading: