The report said investigators didn't find any official documentation about what information Microsoft collects through Office and no way of turning Office telemetry off, raising a serious privacy concern for all current Office users, regardless of geographical location.
Investigators admitted that Microsoft collected functional and diagnostics data that is usually a standard practice among software developers, but they also found that Office applications also collected actual content from users' applications, such as email subject lines and sentences from documents where the company's translation or spellchecker tools were used.
While Microsoft has tried to make Office products GDPR compliant by storing EU users' Office documents on EU servers, the report found that the telemetry collection system sent Dutch user data to US servers, opening it to the possibility of having the information seized or queried by US law enforcement.
The Dutch government is extremely worried because sensitive Dutch government-related information that might have been grabbed part of the telemetry collection system may have also ended up on those US servers. The Dutch government runs Office apps on over 300,000 computers, according to the latest public figures.
Further, the investigation also found that Office telemetry collection is also far more expansive than the one in Windows 10.
Investigators said that Microsoft collects up to 25,000 types of Office events, data which is made available to up to 30 engineering teams. In contrast, Windows 10 is known to collect up to 1,200 event types, data that is shared with up to only 10 engineering teams.
The report's full findings are available below, along with possible countermeasures proposed by investigators, for both Microsoft and Office users.
Dutch investigators said they've already been in contact with Microsoft about their findings. According to the report, Microsoft has already rolled out a "zero exhaust" telemetry collection setting for Office users to address issues #1 and #2, from above. ZDNet was unable to identify this setting, at this moment, and is unclear if this option has been made available to all users, globally.
The Redmond-based company is still working with authorities on addressing items #3 through #8, and, potentially, avoiding a huge GDPR fine.
Microsoft also told investigators it intends to provide documentation about the Office telemetry it collects, more clear options so users can select the desired level of telemetry collection, and a data viewer tool so sysadmins and users can view the raw telemetry data collected via Office.