A Data Protection Impact Assessment (DPIA) has been published by a Dutch ministry, noting that Microsoft still has work to do if the country’s institutions are to use the company’s products without all manner of mitigations.
The DPIA – issued by the Netherland’s department of Justice and Security – focused on Teams, OneDrive, Sharepoint and Azure Active Directory and was conducted by SLM Rijk, the central negotiator for Microsoft, Google and AWS for Dutch government organisations, and by SURF, the central IT procurement organisation for Dutch universities.
The result? OK, but Microsoft must try harder.
The Dutch Ministry of Justice and Security has form when it comes it Microsoft. In 2019 it commissioned a report warning government institutions away from Microsoft Office Online and the company’s mobile apps over worries regarding data processing.
The same outfit has produced this latest report and, although it noted that “Microsoft has implemented many legal, technical and organisational measures to mitigate the risks for data subjects when processing personal data” it warned there was still work to do around what the Windows giant is doing with data and called for a clear deadline on when End-to-End Encryption (E2EE) would be supported in group meetings and chat.
Mitigations suggested by the DPIA include enabling E2EE for Team 1-on-1 calls by default and not exchanging anything sensitive via the platform when E2EE isn’t possible.
Other concerns centre around our old friend, telemetry collection. With Microsoft’s EU Data Boundary not due to be complete until the end of 2022 (meaning that some EU data might be transferred to the US) mitigations include simply accepting the risk until Microsoft is done and consider the use of pseudonyms where identities must remain confidential. Employee monitoring is also a worry, and the advice is to not enable Viva Insights and shut off functionality in Teams Analytics and reports.
The report said there was a “high risk related to unencrypted streaming and stored special categories of data,” adding:
- Dutch government: Did we say 10 ‘high data protection risks’ in Google Workspace block adoption? Make that 8
- UK.gov admits it has not performed legally required data protection checks for COVID-19 tracing system
- Vodafone hounds Czech customers for bills after they were brute-forced with Voda-issued PINs
- Campaigners demand judicial review of NHS deal with Peter Thiel’s AI firm Palantir
For Microsoft, as well as explaining how each of its service will work with the EU Data Boundary, the report requests measures such as a “functional Data Viewer Tool for OneDrive telemetry data on Windows and MacOS” and the disabling of Teams Analytics and reports by default.
The report concludes that if the mitigations are applied, then “there are no known high risks for the data processing.” However, it did warn that should the European Data Protection Board (EDPB) assess the transfer risk posed by the use of the cloud giants as “much higher” even after the EU Data Boundary is complete, “organisations in the Netherlands would in fact no longer be able to use the services of US providers, and the consequences would be much greater than just the use of these Microsoft services.” ®