Netherlands' government: Staff shouldn't use Office due to privacy problems over telemetry

Report recommends against using Office Online or Office mobile apps over exfiltration of data

A new report commissioned by the Dutch government has recommended that government employees should not use Office Online or Office mobile apps, a recommendation on security and privacy grounds.

The recommendation follows on from an investigation that reported in November by Dutch investigators that concluded that Microsoft's collection of what it claims is telemetry data is in breach of GDPR.

Following on from that report, Microsoft agreed to changes to bring Office into line, but the new report indicates that the authorities in the Netherlands don't believe they are being fully adhered to. In one example in the new report, it was found that some 300,000 top tier Office users, with the ‘365 Pro Plus' package were being sent back to the US for storage. It also found that three of the mobile apps were sending data to a US profiling specialist.

However, the report by a group of consultants called Privacy Company, suggests that old-fashioned desktop versions of Microsoft Office are now GDPR-compliant.

"The Dutch government will continue to negotiate with Microsoft to bring Windows and the mobile apps within the scope of the new privacy terms and to implement the same technical improvements for Office Online," the report concluded.

And there may be more trouble brewing for Microsoft in terms of Windows 10 telemetry and data exfiltration practices. The report recommended that government workstations running Windows 10 should have their telemetry settings dialled down to the lowest possible level for the time being.

Privacy Company also recommended that private organisations ought to establish their own broad privacy bodies to exert pressure on Microsoft - and, presumably, other software and cloud vendors - to reduce the level of telemetry and other data collection they engage in.

"Companies and organisations outside the central Dutch government can take a number of mitigating measures themselves (see the list at the bottom of this blog), but only Microsoft is able to eliminate the high privacy risks. This is why these organisations should negotiate privacy guarantees similar to those of the national government, preferably via an umbrella organisation or professional association," it recommended.

Software contract agreements are currently the focus of an investigation by the European Data Protection Supervisor, an investigation that will also encompass the processing of large amounts of personal data.

Microsoft 365 was updated in May with new security and privacy features - although not sufficient to satisfy the Dutch government. And the company has repeatedly run into problems in Europe over telemetry data and user privacy.