Dutch govt issues data protection report card for Microsoft

You need to switch on E2EE in group meetings, watch out for US Cloud Act, warns impact assessment


A Data Protection Impact Assessment (DPIA) has been published by a Dutch ministry, noting that Microsoft still has work to do if the country's institutions are to use the company's products without all manner of mitigations.

The DPIA – issued by the Netherland's department of Justice and Security – focused on Teams, OneDrive, Sharepoint and Azure Active Directory and was conducted by SLM Rijk, the central negotiator for Microsoft, Google and AWS for Dutch government organisations, and by SURF, the central IT procurement organisation for Dutch universities.

The result? OK, but Microsoft must try harder.

The Dutch Ministry of Justice and Security has form when it comes to Microsoft. In 2019 it commissioned a report warning government institutions away from Microsoft Office Online and the company's mobile apps over worries regarding data processing.

The same outfit has produced this latest report and, although it noted that "Microsoft has implemented many legal, technical and organisational measures to mitigate the risks for data subjects when processing personal data" it warned there was still work to do around what the Windows giant is doing with data and called for a clear deadline on when End-to-End Encryption (E2EE) would be supported in group meetings and chat.

Mitigations suggested by the DPIA include enabling E2EE for Team 1-on-1 calls by default and not exchanging anything sensitive via the platform when E2EE isn't possible.

Other concerns centre around our old friend, telemetry collection. With Microsoft's EU Data Boundary not due to be complete until the end of 2022 (meaning that some EU data might be transferred to the US) mitigations include simply accepting the risk until Microsoft is done and consider the use of pseudonyms where identities must remain confidential. Employee monitoring is also a worry, and the advice is to not enable Viva Insights and shut off functionality in Teams Analytics and reports.

The report said there was a "high risk related to unencrypted streaming and stored special categories of data," adding:

There is a high data protection risk related to the possible access by US law enforcement and secret services to very sensitive and special categories of personal data. This risk occurs even though the Teams, OneDrive and SharePoint Content Data are already exclusively processed and stored in the EU, because access to these data can be ordered through US legislation such as the US CLOUD Act.

For Microsoft, as well as explaining how each of its service will work with the EU Data Boundary, the report requests measures such as a "functional Data Viewer Tool for OneDrive telemetry data on Windows and MacOS" and the disabling of Teams Analytics and reports by default.

The report concludes that if the mitigations are applied, then "there are no known high risks for the data processing." However, it did warn that should the European Data Protection Board (EDPB) assess the transfer risk posed by the use of the cloud giants as "much higher" even after the EU Data Boundary is complete, "organisations in the Netherlands would in fact no longer be able to use the services of US providers, and the consequences would be much greater than just the use of these Microsoft services."

Frank Karlitschek, founder of Nextcloud, commented on the report's findings: "The usage of Teams, OneDrive and other Microsoft services is highly problematic, especially for the European public sector.

"The [US] Cloud-Act forces Microsoft to provide all data to the US government independently of the location of the data center. Digital sovereignty is threatened because of the strong vendor lock-in of Microsoft services." ®

Similar topics

Broader topics


Other stories you might like

Biting the hand that feeds IT © 1998–2022