ENA recent assessment carried out by the Dutch ministry of justice and security revealed that Microsoft is violating the GDPR. The 90-page-long report has concluded that the tech giant is potentially putting the privacy of more than 300,000 Dutch government employees at risk with its Microsoft Office platform.
Despite the fact that the general data protection regulation was enforced in May this year, many companies still fail to comply with the law. For Microsoft, the claim may lead to substantial fines from the European Union.
Why is the GDPR important?
The GDPR is meant to protect the privacy of EU citizens and prohibits companies from collecting excessive amount of data about its customers. It also gives people more choice about their personal information and allows to opt out of data collection, as well as view and delete all the data gathered by any company.
Microsoft Office is a set of applications used by many companies and agencies in the Netherlands, including the government. Applications include Microsoft Word, PowerPoint, Excel, Outlook and others.
Is Microsoft breaching the GDPR?
The assessment report has highlighted that Microsoft is breaching the GDPR by not allowing users to easily opt out of data collection or delete all their information. Microsoft is also being accused of collecting and processing ‘behavioral’ data which includes parts of classified content.
The report specifies that Microsoft now collects information like words typed and deleted, or corrected with a spellchecker, as well as the line of text above and below the said sentence. Subjects of emails and file names are also collected and stored. All this data may contain personal and classified information from the Dutch government employees.
Risks of storing your data with US companies
A risk in this case is that all this information is stored in the Microsoft data centers in Europe and the USA. Because privacy laws in the US are not as strict as in the EU, it can pose a potential threat of government intervention and a security breach. Moreover, because America has adopted the CLOUD act, it gives the US authorities an opportunity to access data gathered by American companies, even if it was collected and stored overseas.
Microsoft has agreed to review its policy and announced that the changes will be implemented as soon as April 2019.
Generally, companies dealing with sensitive information and confidential files are advised to store it with the Cloud storage providers inside European Union. vBoxxCloud is a Dutch Cloud solution that stores your data on privately owned servers in the Netherlands and is fully GDPR compliant. Our company also exercises the Zero-knowledge policy, meaning that we know nothing about the data you store and do not collect any extra information about our clients. Read more about it or start a trial here: