Privacy risks Microsoft 365 Copilot to orange

SURF advises education and research institutions to exercise caution when deploying Microsoft 365 Copilot. That is the conclusion of a new DPIA (Data Protection Impact Assessment) on Microsoft 365 Copilot. Despite improvements to the AI application, not all risks have been convincingly addressed.

Restrained commitment and preconditions

In recent months, SURF and SLM (Strategisch Leveranciers Management; Strategic Supplier Management) of the central government have held intensive discussions with Microsoft to address the risks. Due to the privacy improvements in Microsoft 365 Copilot, which benefit all users, SURF no longer completely advises against its deployment. But given the risks still present, educational and research institutions are advised to be cautious in their use of Copilot and carefully weigh up the risks for each type of use. In doing so, we recommend in any case making clear agreements within the institution about the use of AI and adopting an AI usage policy.

Conclusions and risk assessment

In December 2024, SURF published the first DPIA on Microsoft 365 Copilot, which revealed four high risks. Of the four high risks previously found, two remain that are now rated as 'medium' or 'orange'. These two remaining risks relate to inaccurate (personal) data and the retention period of diagnostic (personal) data on the use of the service. SURF is keeping its finger on the pulse of Microsoft's commitments to address these medium risks and will make a new assessment in six months' time.

Managing deployment of artificial intelligence

As a cooperative, SURF monitors that the sector maintains control over the deployment of AI and that this is done responsibly. With DPIAs like this one and other processes, we inform our members about the opportunities and risks of AI. In doing so, SURF takes into account the balance between different providers and the current geopolitical situation, in order to avoid vulnerability due to dependencies within operations. For this, SURF uses the Cloud Sourcing Strategy as a starting point.

Full report available

Download the Data Protection Impact Assessment report.

SURF member and need more information?

Register for Webinar (SURF members only): Registration webinar Copilot Sept 2025
Email address SURF Vendor Compliance: vendorcompliance@surf.nl
Website SURF Vendor Compliance: https://vendorcompliance.surf.nl/microsoft/

SURF is especially alert to processing by vendors and their associated sub-vendors that are located in the US. For more information, SURF refers to the previously prepared general information document on the use of US-based vendors.

Update DPIA Microsoft 365 Copilot

26 June 2025 - Microsoft recently provided us with new information on how they plan to implement mitigating measures. This information is now being analysed by us and reported back...

Updated on: June 26, 2025

Microsoft

SURF advises not to use Microsoft 365 Copilot for the time being due to privacy risks

SURF advises educational and research institutions not to use Microsoft 365 Copilot for the time being. This is because research shows that there are privacy risks associated with using the generative...

Updated on: December 18, 2024

Microsoft

Relevant documentation Microsoft compliance assessments

On this page you will find a handy overview of the relevant documents for the Microsoft Compliance pathways.

Updated on: April 18, 2024

Microsoft

Privacy risks Microsoft 365 Copilot to orange

Restrained commitment and preconditions

Conclusions and risk assessment

Managing deployment of artificial intelligence

Full report available

SURF member and need more information?

Related posts

Update DPIA Microsoft 365 Copilot

SURF advises not to use Microsoft 365 Copilot for the time being due to privacy risks

Relevant documentation Microsoft compliance assessments