Microsoft’s “new” Outlook for Windows grabs access data and stores it in Microsoft’s cloud, came out about a week and a half ago. Federal data protection officer Ulrich Kelber then expressed concern. Now more data protection experts and officers are speaking out. Among them is the Thuringian State Commissioner for Data Protection and Freedom of Information (TLfDI), Lutz Hasse, who recommends not using the new Outlook version.
Advertisement
Dr. Lutz Hasse wrote a message about this (it can be viewed here as a PDF). For example, regarding Microsoft’s statement to heise online and c’t, according to which users who do not want to use their accounts with the Microsoft Cloud can cancel the process when switching and switch back to classic Outlook, he writes: “In other words, you can use the new one Either use Outlook as intended by Microsoft (with data transfer) or not at all… You’re a rogue if you think anything bad about it :)”
Thuringia’s data protection officer advises not to do so
The message concludes with the note: “At the moment, the TLfDI strongly advises that you carefully consider the approval for this profound invasion of privacy through the “New Outlook” app and draw the right conclusions from the information mentioned above. Take The right to choose that Microsoft itself brought into play was (sic) and do without the new Outlook version!”
The former state commissioner for data protection and freedom of information in Baden-Württemberg, Stefan Brink, who held the position from 2017 to 2022, also responded to our request and provided assessments.
Former data protection officer for Baden-Württemberg
Brink writes: “Microsoft’s approach is at least opaque. It will not always be clear to users of the Outlook app for Windows or MacOS what it means to allow emails to be retrieved from other email accounts. This means that the access data for It is understandable that these mail accounts are used by the app – but if Microsoft’s access data is then also used to create an MS Cloud account and store the data from other mail accounts there, then that is not only surprising (at least for everyone who doesn’t have a Microsoft account), but also an additional risk because not everyone wants to have their emails in the cloud.
Brink is even clearer: “This can even be a legal violation on the part of the user, for example if, as a public service employee or holder of business secrets in his company, he is subject to certain confidentiality regulations that prohibit the storage of sensitive data in the cloud. In addition, the user thereby gives Microsoft access on the contents of the emails – and as a rule he is not allowed to do that.”
“I consider this approach by Microsoft to be particularly annoying because we already had this issue with the Outlook apps for smartphones – Microsoft corrected its approach there, but is now making the same mistake,” adds Brink.
With regard to a classification regarding the General Data Protection Regulation (GDPR), Brink explains: “The GDPR imposes extensive obligations in terms of transparency on the provider of such services as the responsible party; one of the principles is that personal data is processed in a way that is understandable for the data subject of the GDPR (Art. 5 Para. 1 GDPR). One can justifiably doubt that Microsoft’s approach shown here does justice to this.”
“Moving emails to an additional cloud account also raises significant questions in terms of data protection by design (Art. 25 GDPR) and general data security (Art. 32 GDPR), because duplication of storage locations always increases security risks connected,” adds Brink. He expects the data protection supervisory authorities to get involved and at least make use of their options to warn or issue warnings. So what the Thuringian data protection officer has now presented.
Current information from the Federal Data Protection Agency
When asked by c’t, the spokesman for the Federal Commissioner for Data Protection and Freedom of Information (BfDI) Kelber also explained that he had “asked his Irish colleagues within the framework of the European Data Protection Board” to “provide an assessment as quickly as possible to give away”. He also informed them about the debate in Germany and sent written information that we had about the public debate. “As we have not yet received any information from the lead Irish data protection supervisory authority DPC, we cannot carry out a data protection assessment,” Kelber’s spokesman concludes the answer.
The week before last, Kelber responded early to the reports of unsolicited data leakage on Mastodon and announced the request to the Irish data protection authority responsible for Microsoft for the meeting of the European data protection supervisory authorities on Tuesday last week.
It will be exciting to see how the case develops further. Microsoft has already corrected a similar error in the mobile Outlook apps. The company has not yet marked the new Outlook as the final version, so corrections should still be easy here too.
(dmk)