Microsoft has released its latest biannual digital trust reports on the Microsoft Reports Hub. The reports consist of the Law Enforcement Requests Report, U.S. National Security Orders Report, Content Removal Requests Report and Digital Safety Content Report.
The tech giant also released its latest Microsoft Privacy Report with this larger group of reports.
Law enforcement requests
When Microsoft receives a law enforcement request from any government, the company said it reviews the request to ensure it is consistent with controlling law and its principles. This latest report shows Microsoft received 24,798 total requests from 45,258 users/accounts in the latter half of 2020. Of those, close to 25% were rejected.
SEE: Shadow IT policy (TechRepublic Premium)
“We disclose customer data only in response to a legally valid warrant, order or subpoena, and only after we confirm the request specifies specific accounts or individual identifiers,” the company explained in a blog post. “We object to improper legal demands–even through litigation when necessary.”
The Law Enforcement Requests Report encompassing the period from July to December 2020 remains largely consistent with previous reports.
Requests for consumer data:
The 24,798 legal requests related to Microsoft’s consumer services from law enforcement agencies around the world, which is an increase from the previous six-month period where the company received 24,093 legal requests.
A majority of the law enforcement requests Microsoft received during this period continued to come from countries including Brazil, France, Germany, the United Kingdom and the United States.
Specific to U.S. law enforcement, the company said it received 5,682 legal requests for data related to its consumer services—an increase from the previous period of 5,507.
Requests for enterprise customer data:
In the second half of 2020, Microsoft received 109 requests from law enforcement around the world for data associated with enterprise cloud customers (defined as customers who purchased more than 50 seats).
In 69 cases, these requests were rejected, withdrawn or law enforcement was successfully redirected to the customer to obtain the information they were seeking.
In 40 cases, Microsoft was compelled to provide some information in response to the order: 19 cases required the disclosure of some customer content, and in 21 of the cases, the company was compelled to disclose non-content information only.
U.S. national security orders
The U.S. National Security report indicates the number of orders received; however, Microsoft said receipt of an order does not mean the company ultimately disclosed the information sought. “We have successfully challenged requests in court, and will continue to do so, when we believe there are grounds for a challenge.”
The report is based on the period from January to June 2020 and is largely consistent with the previous reports:
For the latest Foreign Intelligence Surveillance Act (FISA) data reported, Microsoft said it received 0-499 FISA orders seeking content disclosures affecting 14,000-14,499 accounts, which is a decrease from the previous period where disclosures affected 14,500-14,999 accounts. The company said it received 0-499 National Security Letters in the latest reporting period, which is unchanged from the previous period.
Content removal requests
The latest Content Removal Requests Report details acceptance rates regarding requests received from governments, copyright holders and individuals subject to the European Union’s “Right to Be Forgotten” ruling.
China made the most requests for content removal during this period—1,200 requests. Microsoft took action on 1,146 (96%) of those requests.
Digital safety content
The Digital Safety Content Report covers actions that Microsoft has taken in relation to child sexual exploitation and abuse imagery, terrorist and violent extremist content as well as non-consensual intimate imagery. “We continue to take steps to ensure that our platforms and services remain safe and welcoming to all users with respect to their rights to privacy and freedom of expression,” the company said.
Microsoft Privacy Report
As part of its “continuing efforts to provide customers with increased transparency and control over their data,” Microsoft released its biannual Microsoft Privacy Report. The privacy report includes information about how the company collects personal data and important privacy updates that enable customers to make informed choices, Microsoft said.
“Microsoft has continuously demonstrated that we will go above and beyond the requirements of the law to defend our customers’ data and the data of their users,” the privacy report states. “We understand that our public sector and enterprise customers regularly need to move their data between countries to serve their clients, work with suppliers and manage their global workforce.”
On the heels of the July 2020 ruling by the Court of Justice for the European Union’s Schrems, Microsoft said it has provided additional contractual safeguards to support transfers of personal data.
“Our new steps to defend customers’ data and to indemnify their users for damages caused by Microsoft’s disclosure of their personal data in response to an order from a non-EU/EEA government or law enforcement agency in violation of GDPR make a substantial addition to our foundational privacy promises and build on the strong protections we already offer customers.”
This latest report highlights channels available for users to manage and control their personal data, including through the Microsoft Privacy Dashboard and the privacy controls within Microsoft Teams, the company said.
Microsoft said it continues “to strive toward building and maintaining trust in technology, and we know that transparency is a key component to that trust. Our digital trust reports are intended to help our customers understand how Microsoft responds to requests for data and for content removal.”
Further information about Microsoft’s principles, policies and procedures for responding to government requests for data can be found on its Data Law website.