Microsoft is secretly transferring data of user’s behaviour to the US for its own purpose. With this misuse of data Microsoft is driving its customers into non-compliance since the data transfer to Microsoft is lacking a legal basis. In addition, the customers are facing the risk of damages as joint controller. These conclusions are based on a Privacy Impact Assessment (PIA)1 which was published by the Dutch Government.2
According to the PIA Microsoft is tracking 300.000 employees of the Dutch Government who are working with Word, Excel, PowerPoint and Outlook in the software versions of Microsoft Office ProPlus software (Office 2016 MST and Office 365 CTR).3 E.g., Microsoft collects information of certain events in its Word software of the use of the backspace key, which is likely a signal that the user does not know the correct spelling of the word he is typing. The tracking data is transferred to the US in encrypted form. Therefore, the Dutch Government has only limited knowledge which data is sent to Microsoft. Microsoft admits that no specific documentation about the use of the tracking data is available.4
Although the PIA lists some mitigating measures that may be taken by the customer of Microsoft it is self-evident that this is insufficient to prevent Microsoft from transferring the user’s data to the US.
While the PIA lists some mitigating measure to be taken by the customer of Microsoft, it is out of question, that the customer of Microsoft has any option to fully control the data processing of Microsoft.
a) Software maintenance as data processing
In the classic form a software is sold by the seller (Microsoft) to the vendor (Dutch Government). When the software company provides maintenance to the software this is regarded as data processing on behalf.5 That derives from the fact that the customer determines the purpose of the data processing.6 This criterium has to be based upon the factual analysis of the circumstances.7
Insofar as the software is provided via ASP8 the view of data protection does not change. Since the software is now run on the premises of the software provider and not any longer on the premises of the customer, the customer still determines the purpose of the data processing. Therefore, the software provider still acts as data processor.
b) Microsoft becomes controller
In contrast to a processor Microsoft defines which data is processed and for which purpose the tracking data is used.9 According to Art. 28 (10) GDPR a processor which determines the purpose and means of the processing is regarded as controller. As consequence Microsoft is legally fully responsible for the tracking data as a controller.
c) No legal basis for data transfer to Microsoft
Originately the Dutch Government was the sole controller of the employee data and processed this data on basis of the employment contract with its staff. Insofar as Microsoft would process the employee data for the maintenance of its software, the employee data would have been transferred to Microsoft on data processing on behalf according to Art. 28 GDPR as legitimate legal basis.
Since Microsoft exceeds its space to manoeuvre as data processor and becomes a controller, the legal basis for the transfer of the employee data from the Dutch Government to Microsoft is no longer valid. Therefore, a different legal basis is required for the data transfer to Microsoft.
In general, four options are available for the data transfer to Microsoft according to Art. 6 GDPR:
- consent of the employees,
- fulfillment of a contract with the employees,
- secondary use,
- legitimate interest of Microsoft.
First, the employees were not asked to give their consent to the transfer of their data to Microsoft. In any event such consent would not be regarded as freely given in the employment context.
Second, since Microsoft has concluded solely a contract with the Dutch Government but not with the employees the data transfer is not necessary for the performance of a contract with the data subject.
Third, the purpose of tracking the user by Microsoft is no secondary use in relation to the processing of the employee’s data by the Dutch Government according to Art. 6 (4) GDPR since the tracking data serves the sole purpose of Microsoft and is not necessary for the fulfilment of the employment contract.
Fourth, Microsoft may have a legitimate interest in tracking its user to optimise its service. But that interest is outweighed by the Right to Data Protection of the users not to be tracked without being ask for prior consent.10
This leads to the fact that not only the user tracking of Microsoft is unlawful. In addition, the misuse of data by Microsoft is driving the Dutch Government into non-compliance since Microsoft disturbs the legal basis of the data transfer.
3.Dutch Government liable for data breach of Microsoft
The Dutch Government does not regard itself as controller.11 At a first glance it seems to be reasonable, that joint controllership does not apply if a processor is wilfully breaking the agreement for data processing on behalf and is acting as controller according to Art. 28 (10) GDPR.
But the ECJ regards any party which benefits from the service as joint controller:
„The fact that an administrator of a fan page uses the platform provided by Facebook in order to benefit from the associated services cannot exempt it from compliance with its obligations concerning the protection of personal data.“12
In addition, the Art29 regarded SWIFT acting outside of the data processing agreement as joint controller with the banks which were using the service of SWIFT. In this case SWIFT was – like Microsoft – wilfully infringing the contract with the banks.13
Therefore, the Dutch Government will be regarded as joint controller with Microsoft.
As consequence, the Dutch Government faces the risk to be sued for damages by its employees for the data breach of Microsoft. That derives from the concept of joint controllership where both controllers are jointly liable in relation to the data subject. According to Art. 82 (4) GDPR
„…each controller … shall be held liable for the entire damage in order to ensure effective compensation of the data subject.“
After compensating their employees, the Dutch Government may claim back the damages from Microsoft as second controller, who is responsible for the data breach.
It is the responsibility of the national DPAs to force Microsoft to comply with GDPR. A weak law enforcement would leave up to 80 % of all companies and most governmental bodies – which is the market share of Microsoft within the EU – in a severe conflict with the law.
This case shows that whether the free market economy nor public bodies can be indifferent to whether providers of a key IT-infrastructure, like Microsoft, are complying with the law.
1 A Privacy Impact Assessment (PIA) according to Art. 32 GDPR has to be conducted for processes which are likely to result in a high risk for data subjects.
2 DPIA DIAGNOSTIC DATA IN MICROSOFT OFFICE PROPLUS, 5 November 2018, https://www.rijksoverheid.nl/binaries/rijksoverheid/documenten/rapporten/2018/11/07/data-protection-impact-assessment-op-microsoft-office/DPIA+Microsoft+Office+2016+and+365+-+20191105.pdf;
A summary of the PIA is published by Sjoera Nas (Privacy Company), 13 November, 2018; https://www.privacycompany.eu/en/impact-assessment-shows-privacy-risks-microsoft-office-proplus-enterprise/
3 DPIA DIAGNOSTIC DATA IN MICROSOFT OFFICE PROPLUS 5 November 2018, page 15, https://www.rijksoverheid.nl/binaries/rijksoverheid/documenten/rapporten/2018/11/07/data-protection-impact-assessment-op-microsoft-office/DPIA+Microsoft+Office+2016+and+365+-+20191105.pdf
4DPIA DIAGNOSTIC DATA IN MICROSOFT OFFICE PROPLUS 5 November 2018, page 37 fotenote 6, https://www.rijksoverheid.nl/binaries/rijksoverheid/documenten/rapporten/2018/11/07/data-protection-impact-assessment-op-microsoft-office/DPIA+Microsoft+Office+2016+and+365+-+20191105.pdf
5 Thomas Kahler, IT-Maintenance is data processing on behalf according to German DPAs, https://dpoblog.eu/it-maintenance-is-data-processing-on-behalf-according-to-german-dpas
6 WP29, WP 169, Opinion 1/2010 on the concepts of “controller” and “processor”, adopted on 16 February 2010, page 7 ff., 14; https://ec.europa.eu/justice/article-29/documentation/opinion-recommendation/files/2010/wp169_en.pdf
7 WP29, WP 169, Opinion 1/2010 on the concepts of “controller” and “processor”, adopted on 16 February 2010, page 8; https://ec.europa.eu/justice/article-29/documentation/opinion-recommendation/files/2010/wp169_en.pdf
8 Application service providing
9 DPIA DIAGNOSTIC DATA IN MICROSOFT OFFICE PROPLUS 5 November 2018, page 48, https://www.rijksoverheid.nl/binaries/rijksoverheid/documenten/rapporten/2018/11/07/data-protection-impact-assessment-op-microsoft-office/DPIA+Microsoft+Office+2016+and+365+-+20191105.pdf
10 Thomas Kahler, Do not track without consent state Geman DPAs, https://dpoblog.eu/do-not-track-without-consent-state-german-dpas1
11 DPIA DIAGNOSTIC DATA IN MICROSOFT OFFICE PROPLUS 5 November 2018, page 10, https://www.rijksoverheid.nl/binaries/rijksoverheid/documenten/rapporten/2018/11/07/data-protection-impact-assessment-op-microsoft-office/DPIA+Microsoft+Office+2016+and+365+-+20191105.pdf
12 ECJ C-210/16, Unabhängiges Landeszentrum für Datenschutz Schleswig-Holstein, 5 June 2018, Rdn. 40; http://curia.europa.eu/juris/document/document.jsf?
13 WP29, WP 169, Opinion 1/2010 on the concepts of “controller” and “processor”, 16 February 2010, page 9 states: „This factual approach is also supported by the consideration that the directive establishes that the controller is the one who “determines” rather than “lawfully determines” the purpose and means.“ http://ec.europa.eu/justice/article-29/documentation/opinion-recommendation/files/2010/wp169_en.pdf