Earlier this month the European Data Protection Supervisor (EDPS) announced a new investigation into Microsoft's contracts with EU institutions, to check for potential violations of the General Data Protection Regulation (GDPR).
The investigation follows one by the Dutch government that found eight GDPR violations in Office ProPlus and Office 365, which EDPS expects to also find in other EU nations' institutions that use Microsoft's products.
Microsoft on Tuesday announced that it will change how it collects data from devices when customers use its services, introducing the new 'required' and 'optional' categories for data collected, say, when enterprise customers use Office 365.
SEE: IT pro's guide to GDPR compliance (free PDF)
These changes are a response to questions often raised by European customers, according to Julie Brill, Microsoft corporate vice president and deputy general counsel.
"In recent months we've heard from customers – especially those in Europe – with questions about the data that is collected from their devices when they use our products and services," wrote Brill.
'Required' data includes all data that is essential for making Microsoft's products work as expected or to help ensure security, according to Brill.
This definition includes terms that are searched so Microsoft can deliver a result, an IP address, the type and version of a device so Microsoft can patch them, and 'diagnostic data', so that Microsoft can respond to feature failures.
Dutch investigators found that users have no way of turning Office telemetry off, and that Microsoft is collecting content from users' Office 365 apps, such as email subject lines and sentences from documents where the company's translation or spellchecker tools are used.
Brill notes that in some cases customers can control what data is collected by "deciding whether to use the product features or functions that depend on that required data".
In the case of Office 365, Microsoft does collect data required to sync documents if a customer's employee wants to use cloud-based storage and collaboration features.
"We are working on providing additional configuration options that will give customers more control over the collection of data that's required for certain features or functions," said Brill.
'Optional' data isn't required for a service to function. Again, customers can control what data is collected by choosing to use certain features or functions.
Customers should be able to decide during product setup whether to allow collection of optional data. Microsoft also plans to make it easier for customers to change optional data-collection settings after the initial setup.
Examples of optional data that Microsoft collects include pictures inserted into Word documents "to provide better image options and about the time it takes for a PowerPoint slide to appear on your screen so we can improve the experience if it's slow".
SEE: 30 things you should never do in Microsoft Office (free PDF)
Microsoft also plans to improve its product documentation – another gripe Dutch investigators have with Microsoft.
"Specifically, we'll ensure that documentation for our major products and services describes the data we collect in each of these categories," wrote Brill.
Existing documentation will also be updated to describe what required and optional data it collects. Microsoft vows to make these descriptions easy to understand and explain why required data is needed.
The new 'required' versus 'optional' categories will be rolled out "in the coming months" for Windows 10 and Office 365 ProPlus, with additional changes later for other products, such as Xbox and Dynamics 365.
The timeframe suggests Microsoft could be running a little later than expected. As per a Politico report in February, Microsoft pledged to update Office ProPlus by the end of April to comply with EU privacy laws.
Brill said at the time Microsoft will take "additional steps to make it easier for customers to understand what data needs to go to Microsoft to run our services and why, and where data-sharing is optional".
Finally, to improve transparency, Microsoft intends to publish a new report that will detail changes to its data collection, such as any new data that fits the required category. It will also report when it stops collecting certain types of data.
More on Microsoft and privacy
- Dutch government report says Microsoft Office telemetry collection breaks GDPR
- Microsoft rebrands Bing Ads as Microsoft Advertising
- EU to check for GDPR violations in Microsoft's contracts with EU institutions
- Microsoft discloses security breach that impacted some Outlook
- Facebook data privacy scandal: A cheat sheet TechRepublic
- Cloud database removed after exposing details on 80 million US households CNET