SURF advises not to use Microsoft 365 Copilot for the time being due to privacy risks

In 2024 we, together with external privacy experts from Privacy Company, conducted a Data Protection Impact Assessment (DPIA) on Microsoft 365 Copilot. In this DPIA we reviewed employee and adult student usage because Microsoft does not make the paid education licence available to minors yet. The research revealed a number of privacy risks for users.

Identified privacy risks

The risks include a lack of transparency from Microsoft. It is not clear what personal data Microsoft collects and stores about the use of Microsoft 365 Copilot. Furthermore, the information users receive when they make a request for access is incomplete and incomprehensible. In addition, Microsoft 365 Copilot is likely to generate incorrect and incomplete personal data, and users do not notice that they are working with incorrect data because they rely too much on the generative AI tool when using this tool.

Advice: do not use Copilot for the time being

We remain in contact with Microsoft to implement mitigating measures. However, we can only conclude that the identified high risks are not sufficiently eliminated at the moment. Therefore, the advice to educational and research institutions not to use Microsoft 365 Copilot for the time being. We will continue discussions with Microsoft and will inform members as soon as the situation changes.

Full report publicly available

The full findings of the study can be found in the Data Protection Impact Assessment (DPIA) made publicly available by SURF.

Need more information? Visit vendorcompliance.surf.nl or contact our team.