Microsoft Privacy Report - October 2020
Published: October 2020
Introduction
At Microsoft, we believe that privacy is a fundamental human right that requires a commitment to provide robust data protection for every individual and organization. We live up to this commitment by providing products, information, and controls that allow you to choose how your personal data is collected and used. Read on to learn more about important events impacting global privacy and an update on our work to classify personal data collection as ‘Required’ or ‘Optional.’
Global privacy news
We are living in a changed world, as the effects of the COVID-19 pandemic and unprecedented events of 2020 have impacted every corner of the globe. Governments, public health authorities, and industries everywhere are engaged in the hard and important work of identifying a path forward to get society back together again. As in all other aspects of modern life, digital technologies are being used to support these efforts, many of which require special care as sensitive data about our location and health status may be involved.
In this context, Microsoft adopted seven principles for our own use, and for policymakers, developers of digital technologies, and other stakeholders to consider as the world moved into the next phases of helping to control this pandemic:
- Obtain meaningful consent by being transparent about the reason for collecting data, what data is collected, and how long it is kept.
- Collect data only for public health purposes.
- Collect the minimal amount of data.
- Provide choices to individuals about where their data is stored.
- Provide appropriate safeguards to secure the data.
- Do not share data or health status without consent, and minimize the data shared.
- Delete data as soon as it is no longer needed for the emergency.
Staying safe while connecting with technology
The pandemic has had a profound impact on how people connect with friends, family, colleagues, teachers, and students. As the global response to COVID-19 evolves, communities around the world have changed the way they conduct their work, learning, and life—from the early days of the pandemic when everything was remote, to the more hybrid approach that we’re seeing today. And as we navigate these shifts, privacy and data protection remain critical considerations for the technology we rely on to stay connected.
Microsoft Teams is our platform for chatting, meeting, calling, and collaborating from anywhere. And because we all care about the privacy and confidentiality of our communications, we built Microsoft Teams with privacy, advanced security capabilities, compliance, and ease of management as core tenets.
Teams also offers built-in features to help protect privacy as many people juggle multiple roles from home or start to embrace a new hybrid workplace or learning environment.
Changes to cross-Atlantic data flow mechanisms
Microsoft has continuously worked to ensure appropriate protections are in place for both our customers and our own business when data flows across borders. In July 2020, the Court of Justice for the European Union (CJEU) invalidated the EU-U.S. Privacy Shield, one of the main legal mechanisms for transferring personal data from the EU to the U.S. At the same time, the CJEU upheld another data transfer mechanism, the Standard Contractual Clauses (SCCs), so long as the SCCs include additional safeguards that provide an essentially equivalent level of protection in the destination to that guaranteed within the EU.
Microsoft relies on the SCCs, augmented by supplementary measures, to transfer data from the EU to the U.S. Many of the supplementary measures from Microsoft have been in place for years and arise from our six core privacy principles. To highlight a few of our privacy principles and the corresponding measures:
- Security: Microsoft uses industry recognized encryption protocols to provide barriers against unauthorized access to customer data.
- Strong legal protections: No government has direct access to customer data. Microsoft scrutinizes all government demands for legal validity and appropriateness. We have a proven track record of using the courts to challenge government demands that we believe are inappropriate and do not adhere to our commitments.
- Transparency: Microsoft strives to provide transparency in our practices – through the Microsoft Privacy Statement and this Privacy Report—and transparency about circumstances where we must release data to other entities through our various transparency reports. We place a premium on transparency in our digital world, which is why we share both year-end reports and year-round updates. You can see the full breadth of our commitment to digital trust, human rights, diversity and inclusiveness, and sustainability at our Corporate Social Responsibility Reports Hub. Our commitment to privacy and transparency about data access is made clear through the following specific reports:
Required and Optional data
Microsoft is committed to empowering our customers to make the choices that work best for them. To that end, we periodically publish updates on the work we have done to provide more transparency about the data that is required to run our services and keep them secure and working as expected, and the data that we collect where we provide options to our users. This is our second report about Required and Optional data that Microsoft services collect. Our first privacy report is available here.
Some highlights about our recent work to continue to improve transparency about our data use include a new user control in Xbox that allows users to choose whether to send optional data to Microsoft and new, updated, or improved privacy controls in a number of Office products.
You can learn more about the data collection practices of our major online services by reviewing detailed materials we provide about each one. The information in the summaries below are updated as often as necessary to reflect new service improvements, so you may want to visit these materials periodically to understand our continuous journey to improve transparency about our data use.