In a report on data privacy, the Dutch government sees six risks in using Microsoft applications. However, these are minor problems: Microsoft eliminated major risks in the meantime.
The Dutch government publishes a Data Protection Impact Assessment (DPIA) for the professional use of Microsoft Teams in combination with OneDrive, SharePoint Online and Azure Active Directory. The report was prepared by SLM Microsoft Rijk: a Dutch government agency responsible for contracts with the cloud provider. The body also prepared a report in 2019 and it was very negative then. Today, Microsoft gets a better report.
No big risks, but small ones
According to the DPIA, there are no longer any major risks regarding the diagnostic data Microsoft collects. Several smaller risks do remain. Currently, diagnostic data still moves to the U.S. on a limited basis. That would be remedied by the end of this year courtesy of the Microsoft EU Data Boundary. Furthermore, the report cites a lack of transparency from Microsoft about the data it collects. Moreover, in some very specific cases, data is not anonymized.
The Dutch report has further doubts about Teams Analytics and Viva Insights. For these, Microsoft keeps data related to users. The company does not want to disable the functionality by default, so it is up to instances to do that themselves. Still, Microsoft will continue to eliminate the link between SharePoint and Bing when organizations disable Controller Connected Experiences. That’s not quite in order for now.
US can watch
The Dutch point out one more major risk in using Microsoft services. After all, under the US CLOUD Act, the US government can gain access to sensitive data. That risk remains even when data is kept only within the EU. After all, Microsoft is an American company, which has to listen to American laws. You can mitigate the risk by encrypting data in OneDrive itself, it sounds.
For group conversations with Teams, Microsoft does not yet offer end-to-end encryption. That functionality is coming, but Redmond is not sticking a deadline on it.
The report shows that the Netherlands gives Microsoft a passing grade, although there are still several work points. At least some of the concerns would soon be ironed out. SLM Microsoft Empire does still caution that the DPIA is secondary to any other conclusions the European Data Protection Board may draw in the future.