Microsoft Privacy News

Microsoft updated its privacy policy to disclose that users who consent to receiving marketing communications by phone may be contacted using auto-dialers and artificial or prerecorded voices, which may be generated using artificial intelligence. This adds a new disclosure about the methods Microsoft may use for promotional phone calls. The update date changed from February 2026 to March 2026.

Ireland's Data Protection Commission fined LinkedIn 310 million euros for GDPR violations related to targeted advertising. The DPC found that LinkedIn processed user data for behavioral analysis and ad targeting without valid legal basis, and that user consent was not freely given, sufficiently informed, or unambiguous as required by the GDPR. The case originated from a 2018 complaint by French nonprofit La Quadrature Du Net.

Security researchers at Tenable disclosed a critical SSRF vulnerability (CVE-2024-38206) in Microsoft Copilot Studio that allowed authenticated attackers to leak sensitive information from Microsoft's internal cloud infrastructure, including access to Azure services and Cosmos DB instances. The vulnerability had a CVSS score of 8.5. Microsoft patched the flaw and stated no customer action was required.

After intense backlash over Recall's privacy and security flaws, Microsoft reversed course and made the feature opt-in by default instead of automatically enabled. Microsoft also delayed the launch from June to December 2024 and announced major security overhauls including encrypting the snapshot database, requiring Windows Hello authentication, and using Virtualization-based Security Enclaves to protect stored data.

Microsoft announced Windows Recall, an AI feature for Copilot+ PCs that captures screenshots of user activity every few seconds and makes them searchable. Security researchers discovered the feature stored all data in a plaintext SQLite database, and a tool called TotalRecall could extract the entire history. Privacy advocates compared it to always-on surveillance, prompting widespread backlash from security experts and regulators.

The US House of Representatives banned congressional staff from using Microsoft Copilot over concerns that the AI tool could leak sensitive House data to unauthorized cloud services. The Office of Cybersecurity deemed Copilot a risk to users due to the potential for data to be leaked to non-House approved cloud services, making it one of the first US government bodies to formally restrict an enterprise AI tool.

The European Data Protection Supervisor ruled that the European Commission's use of Microsoft 365 infringed EU data protection law. The EDPS found violations of purpose limitation, international data transfer rules, and unauthorized disclosures of personal data. The Commission was ordered to suspend all data flows to Microsoft entities outside the EU/EEA by December 2024.

Proton Mail published an analysis revealing that the new Outlook for Windows shares user data with 772 third-party partners for advertising purposes. European users saw a consent modal disclosing these partners due to GDPR requirements, while US users received no such notification. The report highlighted that Outlook had transformed from an email client into a data collection and ad delivery platform.

Security researchers discovered that the new Outlook for Windows app syncs IMAP and SMTP credentials and all emails to Microsoft's cloud servers when users add third-party email accounts like Gmail or Yahoo. German publications Heise and CT found that usernames and passwords were transmitted to Microsoft servers, and users could not use the new Outlook without cloud syncing. Proton Mail later called the new Outlook 'Microsoft's new data collection service.'

Microsoft disclosed that a China-based threat actor, Storm-0558, used forged authentication tokens to breach email accounts at approximately 25 organizations including the US State Department and Commerce Department starting in May 2023. The attackers exploited a stolen Microsoft account signing key to forge tokens for Outlook Web Access. A DHS review later found a 'cascade of errors' in Microsoft's security practices that enabled the breach.

The FTC fined Microsoft $20 million for violating the Children's Online Privacy Protection Act through Xbox. Microsoft collected personal information from children under 13 without parental consent and illegally retained children's data for years, even when parents never completed account setup. The settlement required Microsoft to implement new parental consent procedures and notify parents about child-specific privacy protections.

Microsoft began the phased rollout of the EU Data Boundary for its cloud services, committing to store and process customer data for Azure, Dynamics 365, Power Platform, and Microsoft 365 within EU/EFTA datacenters. The initiative involved investments exceeding $12 billion across more than 17 European datacenter regions to address data sovereignty concerns following the Schrems II ruling.

France's CNIL fined Microsoft Ireland 60 million euros for privacy violations on Bing. The regulator found that Bing deposited advertising cookies without obtaining user consent and that refusing cookies required two clicks while accepting them took only one. Microsoft was ordered to obtain proper consent from French users within three months or face penalties of 60,000 euros per day.

After six years of litigation, LinkedIn and hiQ Labs reached a settlement in the landmark data scraping case. The court entered a $500,000 judgment against hiQ and established its liability under California common law torts. The Ninth Circuit had earlier ruled that scraping publicly available data does not violate the Computer Fraud and Abuse Act, setting important precedent for web scraping and data privacy law.

The Dutch government published a Data Protection Impact Assessment on Microsoft Teams, OneDrive, SharePoint, and Azure AD, identifying significant privacy risks from telemetry data collection and structural transfers of pseudonymous personal data to the US. The DPIA recommended mitigations including disabling Teams Analytics by default and demanded a functional Data Viewer Tool for OneDrive telemetry.

A dataset containing scraped data from approximately 700 million LinkedIn profiles appeared for sale on hacking forums, affecting roughly 92% of LinkedIn's user base. Exposed data included full names, email addresses, phone numbers, workplace information, and in some cases GPS coordinates. LinkedIn stated no unauthorized system access occurred and the data was scraped from publicly available profiles via API abuse.

Microsoft disclosed that a Chinese state-sponsored group known as Hafnium exploited four zero-day vulnerabilities in on-premises Exchange Server, compromising over 30,000 organizations in the US alone. Attackers gained access to email accounts and installed web shell malware. The US, UK, EU, and NATO jointly attributed the attack to China's Ministry of State Security.

The SolarWinds supply-chain attack was publicly disclosed, revealing that Russian state-sponsored hackers had compromised SolarWinds Orion software updates since March 2020, breaching approximately 18,000 organizations including Microsoft. Attackers accessed Microsoft source code repositories and internal systems. Microsoft President Brad Smith called it 'the largest and most sophisticated attack the world has ever seen.'