Skip to main content

Microsoft could face major EU GDPR fine

(Image credit: Image Credit: JPstock / Shutterstock)

Microsoft has secretly been collecting some data on how people in the EU are using its Office products and has been sending and storing that information on a server in the US.

That rings basically all the GDPR alarms out there and the company is potentially staring in the face of a multi-million-dollar fine.

The information was disclosed by the Dutch government, who investigated how Office handles data created by its employees. These are some 330,000 workers. The research concluded that most of what Microsoft collects is diagnostics data, and most of that data does reside on servers in the EU. However, the company also gathered information like what was run through a translation or a spell checking service, and some data didn't stay on EU soil.

"Microsoft systematically collects data on a large scale about the individual use of Word, Excel, PowerPoint and Outlook. Covertly, without informing people," said a blog post written by Privacy Company, the researchers behind the report.

"Microsoft does not offer any choice with regard to the amount of data, or possibility to switch off the collection, or ability to see what data are collected, because the data stream is encoded."

So for example, if you used the backspace key a few times to fix a word, Word would see it as if you weren't sure how to spell something. It would then store both the sentence before, and the one after it.

"Microsoft should not store these transient, functional data, unless the retention is strictly necessary, for example, for security purposes," it argues.

According to the report, Microsoft tracks some 25,000 types of 'events' and has up to 30 people working on the data. Microsoft also has a 'zero exhaust' version of Office which the researchers suggest the government's workers should use. They also suggest banning the use of Microsoft's "Connected Services" and removing the option for users to send data to "help improve" Office.

The researchers are also against the use of the web-only version of Office 365, or SharePoint Online. Users should delete the Active Directory account of VIP users every once in a while, and create new accounts so that the diagnostics data gets deleted.

And finally, the researchers are suggesting everyone to try ‘alternative software’, something that "would be in line with the Dutch government policy to promote open standards and open source software."

Image Credit: JPstock / Shutterstock