Microsoft facing GDPR fine over Office 365 telemetry

25,000 'events' Office 365 recorded and shared among 30 engineering teams at Microsoft

Microsoft could be on the hook for a big fine from data protection authorities in the Netherlands after investigators concluded that the company's Office suite data collection breaks EU rules.

The report cites issues with the ProPlus subscription for the desktop suite and the web-based version of Office 365, which could mean the software giant is in breach of the EU's GDPR legislation which came into force in May.

The report suggests that the telemetry collected during use of the package was not fully documented by Microsoft, nor is there an option for users to turn it off.

A total of 25,000 'events' are recorded and the data can be seen by up to 30 teams of engineers

However, the issue isn't as much to do with the regular telemetry, which the report acknowledges is part of modern software, but the level of data collection.

The report claims that Microsoft appears to be collecting subject lines from emails and full sentences that are run through a spelling and grammar checker or the translation tool.

In fact, a total of 25,000 'events' are recorded and the data can be seen by up to 30 teams of engineers. Compare this with Windows 10, which collects a mere 1,200 event types, shared among 10 engineering teams.

Microsoft is apparently working with European Union authorities on a solution that meets criteria without leaving a mess. It has also pledged to provide the missing documentation, provide options for levels of collection and create a tool for sysadmins and users that will let them see exactly what dirt Microsoft has.

A lot of the collection items on the list are quite technical and for the tool to be much use, there will also need to be some sort of glossary or a plain English version of the listings.

GDPR has some serious teeth when it comes to the improper use of data with Microsoft potentially on the hook for up to two per cent of the company's annual revenue, a minimum of €10 million.

In July, Microsoft published a GDPR compliance document detailing Windows 10 connections

The 438-page document "lists different endpoints that are available on a clean installation of Windows 10, version 1709 and later" and offers ways in which users can manage or block the various connections that Windows 10 routinely makes in the background.