A new report for the Netherlands Ministry of Justice and Security warns the country's agencies that using Microsoft Office Online, Office mobile apps, and Windows 10 Enterprise carries privacy risks.
The report comes from EU-based Privacy Company, which carried out three data-protection impact assessments (DPIAs) for the Dutch government in late 2018, covering Office and Windows 10, which are used by key agencies in the country.
Netherlands authorities last year cited eight undocumented privacy issues with ProPlus versions of Office 2016 and Office 365 that allowed Microsoft to collect Dutch-created user content from the apps that was stored on US servers and potentially exposed to US law enforcement.
SEE: IT pro's guide to GDPR compliance (free PDF)
Among the Dutch users are employees from the Tax and Customs Administration, the police, the judiciary, and independent administrative bodies.
Microsoft in February pledged to fix the ProPlus issues by April. However, in May, shortly after the EU began vetting Microsoft contracts for violations of Europe's new GDPR privacy laws, the company appeared to admit it was running late in meeting those objectives.
According to the new report, Microsoft has dealt with the eight issues previously identified with Office 365 ProPlus, but the changes agreed to between the Dutch government and Microsoft haven't been applied to Windows 10 Enterprise, Office Online, or Microsoft's mobile Office apps.
Because of this, the Netherlands is recommending agencies avoid Office Online and Office mobile apps while restricting Windows 10 data collection to the "lowest possible level".
"Moreover, certain technical improvements that Microsoft has implemented in Office 365 ProPlus are not (yet) available in Office Online. From at least three of the mobile apps on iOS, data about the use of the apps is sent to a US-American marketing company that specializes in predictive profiling," Privacy Company wrote.
"The Dutch government will continue to negotiate with Microsoft to bring Windows and the mobile apps within the scope of the new privacy terms and to implement the same technical improvements for Office Online."
"Therefore, SLM Rijk [division dealing with Microsoft procurement] advises government institutions to, for the time being, refrain from using Office Online and the mobile Office apps, and to opt for the lowest possible level of data collection in Windows 10, namely Security."
Microsoft hasn't been targeted in the high-profile trans-Atlantic data-transfer case headed up by Max Schrems, the Austrian lawyer suing Facebook over transferring EU residents' data to the US. But it is facing obstacles from publicly-funded customers in Europe.
Schools from a German state have been banned from using Office 365 by its data-protection commissioner because the standard setup exposes information about students and teachers to US laws, such as the CLOUD Act and the USA Freedom Act, which give US agencies wide-ranging powers to access user data from US tech firms.
In an interview with ZDNet last month, Schrems stressed that data sent to Microsoft's servers in the US are subject to US mass-surveillance laws, which conflict with EU privacy law.
SEE: 30 things you should never do in Microsoft Office (free PDF)
The report's authors also encourage private-sector organizations in the Netherlands to negotiate "privacy guarantees similar to those of the national government", though it suggests these are done via umbrella agreements.
The report notes that the Netherlands now has contractual guarantees from Microsoft for all online services and Office 365 ProPlus. These guarantees reduce the number of purposes for which Microsoft can use EU data, from eight to three, covering all diagnostic data and a promise never to use the data for profiling, analytics, market research or advertising without user consent.
"Microsoft acknowledges that it may only act as a data processor for the data it receives about the use of Office 365 ProPlus, most Connected Experiences and the cloud services, and that these data are personal data," the report says.
"Microsoft may only process the data for three authorized purposes, and only if this is proportional. The purposes are: (1) to provide and improve the service, (2) keeping the service up to date, and (3) secure. Previously, Microsoft processed the data for eight purposes, including any purposes that they themselves considered to be compatible with the other specified purposes."
More on Microsoft and data privacy