SURF advises not to use Microsoft 365 Copilot for the time being due to privacy risks
SURF advises educational and research institutions not to use Microsoft 365 Copilot for the time being. This is because research shows that there are privacy risks associated with using the generative AI tool. SURF remains in contact with Microsoft to resolve these risks, but advises not to use Microsoft 365 Copilot for the time being.
In 2024, SURF Vendor Compliance, together with external privacy experts from Privacy Company, conducted a Data Protection Impact Assessment (DPIA) on Microsoft 365 Copilot. In this DPIA SURF reviewed employee and adult student usage because Microsoft does not make the paid education licence available to minors yet. The research revealed a number of privacy risks for users.
Identified privacy risks
The risks include a lack of transparency from Microsoft. It is not clear what personal data Microsoft collects and stores about the use of Microsoft 365 Copilot. Furthermore, the information users receive when they make a request for access is incomplete and incomprehensible. In addition, Microsoft 365 Copilot is likely to generate incorrect and incomplete personal data, and users do not notice that they are working with incorrect data because they rely too much on the generative AI tool when using this tool.
Advice: do not use Copilot for the time being
SURF remains in contact with Microsoft to implement mitigating measures. However, SURF can only conclude that the identified high risks are not sufficiently eliminated at the moment. Therefore, the advice to educational and research institutions - the members of SURF - is not to use Microsoft 365 Copilot for the time being. SURF will continue discussions with Microsoft and will inform members as soon as the situation changes.
Full report publicly available
The full findings of the study can be found in the Data Protection Impact Assessment (DPIA) made publicly available by SURF.
Questions?
Do you have further questions? If so, please contact us at vendorcompliance@surf.nl.
