Security News > 2022 > February > Dutch govt issues data protection report card for Microsoft

A Data Protection Impact Assessment has been published by a Dutch ministry, noting that Microsoft still has work to do if the country's institutions are to use the company's products without all manner of mitigations.

The DPIA - issued by the Netherland's department of Justice and Security - focused on Teams, OneDrive, Sharepoint and Azure Active Directory and was conducted by SLM Rijk, the central negotiator for Microsoft, Google and AWS for Dutch government organisations, and by SURF, the central IT procurement organisation for Dutch universities.

The Dutch Ministry of Justice and Security has form when it comes it Microsoft.

With Microsoft's EU Data Boundary not due to be complete until the end of 2022 mitigations include simply accepting the risk until Microsoft is done and consider the use of pseudonyms where identities must remain confidential.

For Microsoft, as well as explaining how each of its service will work with the EU Data Boundary, the report requests measures such as a "Functional Data Viewer Tool for OneDrive telemetry data on Windows and MacOS" and the disabling of Teams Analytics and reports by default.

The report concludes that if the mitigations are applied, then "There are no known high risks for the data processing." However, it did warn that should the European Data Protection Board assess the transfer risk posed by the use of the cloud giants as "Much higher" even after the EU Data Boundary is complete, "Organisations in the Netherlands would in fact no longer be able to use the services of US providers, and the consequences would be much greater than just the use of these Microsoft services." .

News URL

https://go.theregister.com/feed/www.theregister.com/2022/02/23/dpia_microsoft/