Naughty Microsoft: Are GDPR Fines Incoming?

Philip Robinson by   11.22.2018   Compliance

Microsoft have secretly been collecting data on how people in the EU are using their Office products and sending it over to servers in the USA for storing, according to a report by the Dutch government.

Even those with a rudimentary understanding of the GDPR can see that this is a fragrant breach of the regulations and could potentially lead to huge, multi-million-dollar fines.

Basically, Microsoft were collecting diagnostic data from their 330,000 workers, with the majority of that data being stored on servers in the EU. Concerningly though, Microsoft were also gathering information through their translation or spell check services, some of which was then sent over to the USA for storage. All of this data collection was done so that Microsoft could determine usage habits of Word, Excel, PowerPoint and Outlook.

Crucially though, this data collection was done in secret, without informing the data subjects and giving them the option to opt in. Microsoft did not offer any choice with regards to what data or the amount of data collected, or even to see what data was being collected, as it was all encoded.

The Dutch government were rightly worried about these practices and advised that government officials should ban the use of “Connected Services” and remove the option for users to send data to “help improve” Office products. They have also suggested that users delete privileged Active Directory accounts and create new ones regularly to purge the diagnostic data.

Even the most novice compliance expert would determine this to be a pretty blatant breach of GDPR, in particular due to a “lack of transparency and purpose limitation, and the lack of a legal ground for the processing.”

In some ways, if Microsoft isn’t hit with a large fine, then it will undermine the whole concept of the GDPR. This is exactly the reason why the stricter data protection laws were introduced. Many organizations are already sceptical about whether the full penalty (Up to €20 million, or 4% annual global turnover – whichever is higher) for GDPR breaches will be issued by the ICO. Until we see it happen, I don’t think organizations are going to take this regulation as seriously as they should.

If no punishment is doled out, we might as well have never gone through the hassle of getting GDPR ready in the first place.

In a statement, a Microsoft spokesperson noted: “We are committed to our customers’ privacy, putting them in control of their data and ensuring that Office ProPlus and other Microsoft products and services comply with GDPR and other applicable laws. We appreciate the opportunity to discuss our diagnostic data handling practices in Office ProPlus with the Dutch Ministry of Justice and look forward to a successful resolution of any concerns.”

Are Microsoft saying this because they believe it, or because they want to avoid those pesky fines?

If you want to ensure that your organization doesn’t get caught out by the stringent requirements of the GDPR, come and take a look at our GDPR solution today.