Microsoft Privacy Report - April 2023

At Microsoft, we value, protect, and defend your privacy. We live up to our commitment to protect your privacy by providing products, information, and controls to help you make informed choices about your data. We publish this Microsoft Privacy Report twice a year to give you the latest information on what personal data we collect, how it may be used, and how you can manage and control your data.

This report also summarises important new developments in privacy at Microsoft following our last report in October 2022. We’ve continued to see interest from our customers in solutions that protect the security and privacy of their data, the acceleration of comprehensive privacy legislation globally, and new technological advancements.

In response, Microsoft has continued to release tools to help protect the data of our customers and help organisations govern, protect and manage their data. These new tools include Microsoft Purview, a family of data governance, risk, and compliance solutions. In January 2023, we also began the phased rollout of the European Union (EU) Data Boundary, which offers customers the ability to store and process their customer data within a geographical boundary in the EU for Microsoft 365, Microsoft Azure, Power Platform and Microsoft Dynamics 365 services. Finally, we continue to work closely with governments and other stakeholders to support U.S. and global privacy legislation that will enable the trusted sharing of data, including through the EU-U.S. Data Privacy Framework and the Global Cross-Border Privacy Rules Forum.

Tools for protecting and controlling data

We provide tools to help you control your data using the Microsoft privacy dashboard. With the dashboard you can view, delete, and manage your data and privacy settings. Data that appears on the dashboard includes data from your Bing searches, Microsoft Edge browsing, location history, and use of Microsoft apps and services. As of March 2023, the privacy dashboard had 3.2 million monthly active users, showing active engagement and use globally. (See the Appendix for detailed figures of privacy dashboard use by country.)

In addition to the controls available on the privacy dashboard, the Microsoft privacy support team provides direct assistance to customers around the world who have questions about their personal data. In the last six months, the privacy team assisted over 4,100 individuals and organisations from 113 countries with their privacy requests and concerns submitted through our privacy support form.

We believe it is important to supplement privacy tools like the dashboard with educational resources, particularly for young people as they learn to navigate the online world. For Safer Internet Day in February 2023, we released an immersive game-based learning adventure, Privacy Prodigy, for students ages 7-18. In this game designed for Minecraft Education, players take on the challenge of protecting their data as they venture further from home, encountering scenarios that help them learn about the personal information that can be shared and what should be kept private. Privacy prodigy is available for free both for Minecraft Education and in the Minecraft Marketplace.

We also provided our customers with additional features and tools to help protect their privacy. During 2022, we released two new tools to enhance identity protection, Microsoft Entra for business and public sector customers, and Microsoft Defender for individuals. We also announced new services that enable organisations to meet their localisation goals with the Microsoft Cloud for Sovereignty and Microsoft Purview. We began 2023 by offering a preview of Adaptive Protection in Microsoft Purview, a new capability of Microsoft Purview that uses machine learning to understand how users are interacting with data and assign risk levels. Microsoft Purview can then adapt by adjusting Data Loss Prevention (DLP) controls in response to a detected risk.

Providing transparency and choice

We classify the data we collect from customers in our major products and services as either required or optional. Required data includes diagnostic or service data that we use for security patches and to help detect functionality issues with our products and services so we can keep our products up to date, secure, and performing as expected. Optional data is data that we use to support features or analysis that goes beyond required baseline functionality; we enable our customers to decide whether to share optional data with Microsoft.

To be transparent with our customers about how we collect and use required and optional data, Microsoft publishes and regularly updates summaries for each of our major online services. These summaries also help our customers make informed choices about the data they share with Microsoft.

• Data collection summary for Dynamics 365
• Data collection summary for Office
• Data collection summary for Teams
• Data collection summary for Windows
• Data collection summary for Xbox

Responding to the changing privacy landscape around the world

There is a growing expectation that people should benefit from digital technology without losing control of their personal information. This expectation continued to drive new comprehensive privacy legislation around the globe in the past year. For example, in October 2022 Indonesia passed the Personal Data Protection Act, bringing a comprehensive privacy law to the quarter most-populous nation in the world.

The United States is also considering a national privacy law, but the path forward continues to remain uncertain. In the meantime, individual states are implementing their own comprehensive privacy laws. In January 2023, California’s second comprehensive privacy law (known as the California Privacy Rights Act) and the Virginia Consumer Data Protection Act both went into effect, with the Colorado Privacy Act, Connecticut Privacy Act, and Utah Consumer Privacy Act going into effect later in 2023.

For a complete discussion of developments in privacy legislation, see A look back at privacy and data protection in 2022 from the International Association of Privacy Professionals.

Microsoft has long supported comprehensive privacy legislation and is committed to helping develop durable global solutions. We continue to work constructively with regulators, lawmakers, NGOs, and others at the federal and state level in the United States and around the globe to advance meaningful data protection and privacy regulation. Microsoft products and services already comply with global regulations, and we are committed to continuing to move quickly to adapt to changing regulations on behalf of our customers and support strong, comprehensive, and interoperable laws globally.

Earlier in 2022, we announced our support for the EU-U.S. Data Privacy Framework, a critical agreement between the European Commission and the U.S. government regulating the transfer of data between the EU and the U.S. The framework is designed to rebuild and strengthen the data protection bridge between these two jurisdictions. In October 2022, U.S. President Biden signed an Executive Order on ‘Enhancing Safeguards for United States Signals Intelligence Activities’. Along with Regulations issued by the Attorney General, the Executive Order implements into U.S. law the EU-U.S. Data Privacy Framework. Microsoft announced support for the Executive Order and Proposed Regulations, which help realise the promise of trusted data flows and important privacy protections for businesses and individuals worldwide. We are committed to meeting and exceeding the requirements of the EU-U.S. Data Privacy Framework.

To continue meeting the needs and expectations of our European customers, in January 2023, we began a phased rollout of our EU Data Boundary for our public sector and commercial customers in the EU and the European Free Trade Association (EFTA). The EU Data Boundary offers customers the ability to store and process their customer data within the EU Data Boundary for Microsoft 365, Azure, Power Platform and Dynamics 365 services. The EU Data Boundary expands on existing local storage and processing commitments, greatly reducing data flows out of Europe and building on our robust data residency solutions. In the coming phases of the EU Data Boundary, Microsoft will expand the EU Data Boundary solution to include the storage and processing of additional categories of personal data, including data provided when receiving technical support. Additionally, we introduced the ability for businesses to manage Microsoft Windows diagnostic data on Windows devices for an entire organisation using Azure Active Directory. The Windows diagnostic data for those devices for our European customers will now be processed in Europe.

Another key initiative for advancing global data flows was the Global Cross-Border Privacy Rules (CBPR) Forum in 2022. We applaud the work of Australia, Canada, Japan, the Republic of Korea, the Philippines, Singapore, Taiwan, and the United States of America, which announced the launch of the CBPR Forum. Work continues in 2023 to grow CBPR government participation and interoperability with other privacy systems around the world, including in Asia, Europe, the Middle East, and Latin America. The current government participants are working together with new global partners to advance the CBPR system to meet today’s data flow and regulatory patchwork challenges.

Driving AI innovation while protecting privacy

Privacy remains an important consideration for Artificial Intelligence applications. At Microsoft, we’ve been working to advance safety and privacy by building a responsible AI infrastructure since 2017. To share what we have learned, in June 2022, Microsoft published our Responsible AI Standard, a framework for how we develop and deploy AI systems responsibly. The standard helps our internal teams turn our AI principles – fairness, reliability and safety, privacy and security, inclusiveness, transparency and accountability – into engineering practices. Additionally, Microsoft produces Transparency Notes as part of a broader effort to put our AI principles into practice. This documentation is intended to help you understand how our AI technology works, the choices system owners can make that influence system performance and behaviour, and the importance of a whole systems approach, including considerations for the technology, the people and the environment.

In February 2023, we announced an updated version of Microsoft Bing that deploys AI technologies in new and significant ways. The all new, AI-powered Bing search engine and Edge browser deliver better search through a new chat experience and more complete and immersive answers through use of next-generation Large Language Model (LLM). Bing users can continue to view and delete their search queries on their privacy dashboard and learn about how Bing collects and processes personal data in the Microsoft Privacy Statement. For a transparent description of the methods used to identify, measure, and mitigate potential harms and to secure the benefits of AI technology for our users, see our white paper The new Bing - Our approach to Responsible AI.

In March 2023, we announced new AI capabilities in Microsoft 365 and Dynamics 365 with Microsoft 365 Copilot and Dynamics 365 Copilot. Microsoft 365 Copilot combines the power of LLMs with your data in the Microsoft Graph and Microsoft 365 apps to enable the use of words and text for automated creation and insights through Excel graphs, PowerPoint presentations and other productivity tools. Dynamics 365 Copilot, the world’s first AI copilot natively built-in to both Customer Relationship Management (CRM) and Enterprise Resource Planning (ERP) applications, brings the power of next-generation AI capabilities and natural language processing to help business professionals create ideas and content faster, and get insights into next best steps.

Maturing a new technology takes time and collaboration. We look forward to seeing customers unlock the full potential of AI and getting feedback from stakeholders across government, industry, and civil society to help develop responsible and privacy protective AI technologies that serve as an essential productivity tool for the future.

Learn more about Microsoft reports

We continue to strive toward building and maintaining trust in technology, and we know that transparency is a key component of that trust. In addition to this Privacy Report, we offer a comprehensive overview of all our efforts to nurture digital trust in our Reports Hub. Microsoft publishes regular reports, including metrics on how Microsoft responds to government and law enforcement requests for user data and for content moderation:

• Digital Safety Content Report
• Law Enforcement Requests Report
• U.S. National Security Orders Report
• Copyright Content Removal Requests
• Government Requests for content Removal Report
• "Right to be forgotten" Requests

Appendix

Our global commitment to data subject rights enables millions of people to control their data. From July 1 through December 31, 2022, the Microsoft privacy dashboard had 12,138,541 users. The chart below lists the 20 countries with the most privacy dashboard users.