The Rijksoverheid and Dutch universities are advised not to discuss sensitive information via the Microsoft Teams communications platform. This is according to a Data Protection Impact Assessment (DPIA) report by research firm Privacy Company, written on behalf of the Ministry of Justice and Security.
In the DPIA report, Privacy Company speaks of a "high risk" in terms of protecting any sensitive information stored by Microsoft when using Microsoft Teams. Indeed, as a U.S. company, Microsoft is required to comply with any requests for data by U.S. authorities and intelligence agencies.
The risk of having to surrender data remains even if Microsoft were to store the data on European soil. In theory, Microsoft could be forced to decrypt the data as long as the company has access to the decryption key.
The risk also appears high when using OneDrive and Sharepoint, Microsoft's cloud storage and data-sharing solutions. However, in this case, agencies can reduce the risk by using Double Key Encryption, which adds an additional layer of encryption. For this layer, only the organization itself holds the decryption key.
Privacy Company has previously issued similar reports regarding Windows 10 Enterprise and Microsoft Office. Microsoft then made changes so that European agencies could continue to use this software under the AVG. The question now, however, is whether that is at all possible. In the current climate, the U.S. government could force Microsoft to transfer data from anyone, anywhere.
The threat is high, but perhaps not acute. Microsoft itself wrote last year, "We will contest government requests on personal data of public or commercial sector customers in the EU (from any government) if we have a lawful basis for doing so." Also in the report, Microsoft stated "it has never provided employee data from public sector institutions to any government, including the U.S. government."
