Microsoft Update: Microsoft 365 Copilot Data Privacy Impact Assessment

Microsoft Update: Microsoft 365 Copilot Data Privacy Impact Assessment 

In December 2024, Strategic Vendor Management of the Dutch Ministry of Justice (SLM) and SURF published their Data Privacy Impact Assessment (DPIA) of Microsoft 365 Copilot, containing their concerns based on 4 high risks. This overarching DPIA is designed to support SLM and SURF in their role in procuring technology services for the central government and educational entities. This DPIA supports individual government organizations and educational institutions in performing their own DPIAs for their specific processing activities of personal data in the potential use of Microsoft 365 Copilot. 

In a response, Microsoft’s Chief Technology Officer, Enterprise and Devices, Aleš Holeček, shared our commitment to ongoing work between the parties to help address the concerns SLM and SURF raised regarding the Dutch governments and education, sector’s intended use of Microsoft 365 Copilot.  

In this blogpost we share an update about the progress and measures we introduced to meet our commitments to SLM and SURF in a manner that will benefit all our commercial customers. Microsoft has investigated and is of the view that it has addressed the specific observations of SLM and SURF by implementing solutions ahead of the target date of April 4th.  We shared an update on the work completed in support of Microsoft’s commitments in a follow-up letter, published here. We are confident that these changes will enable a reassessment of the prior ‘high risk’ determinations.

The follow-up letter states how Microsoft has addressed the concerns on  

1. Retention time of diagnostic data 
2. Data Subject Access Request output 
3. Required service data and diagnostic data transparency 
4. Accuracy of personal data in Copilot outputs 

On the topic of accuracy, Microsoft demonstrated further investments, such as the recent ISO 42001 certification and will continue to invest in this topic. Our perspective remains that both Microsoft and organizations themselves have a shared responsibility to address potential risks related to inaccurate generative AI output. Organizations have a responsibility to educate their users to understand that Microsoft 365 Copilot is a generative AI tool that predicts text recommendations. It is intended to assist users and is not intended to, and should not be used to, replace user decision-making.  

We welcome the ongoing dialogue and take pride in the progress made to assist both SLM and SURF and their constituents in their deployment of AI technologies. At Microsoft, we are always prioritizing the privacy and security of our customers’ data. Our commitment to GDPR compliance remains unwavering. Microsoft has also developed additional services such as the Microsoft EU Data Boundary that guarantees the processing and storage of data in Europe. We are continuously working to meet the evolving and different needs of our customers and are creating higher standards every day.