Data pro­tec­tion with Micro­soft 365 Copilot

Let arti­fi­ci­al intel­li­gence (AI) do the work in the com­pa­ny? What has sound­ed like sci­ence fic­tion so far, Micro­soft wants to make pos­si­ble in the future. With Micro­soft 365 Copi­lot, Micro­soft will offer its busi­ness cus­to­mers a paid-for AI tool in the future. We will explain below what impact Copi­lot will have on data protection.

Micro­soft 365 Copilot

Micro­soft 365 Copi­lot is a new AI solu­ti­on from Micro­soft, that will be imple­men­ted in Micro­soft 365 to help busi­nesses opti­mi­se their per­for­mance. Copi­lot inte­gra­tes lar­ge AI lan­guage models, known as Lar­ge Lan­guage Models (LLMs), which are based on lar­ge amounts of text data and used to gene­ra­te text-based con­tent, into Micro­soft 365 apps and the Micro­soft Graph appli­ca­ti­on. Based on the afo­re­men­tio­ned approach, the spe­cial fea­ture of Copi­lot is said to be that the LLMs do not gene­ra­te con­tent based on arbi­tra­ry data sources as is usual­ly the case, but ins­tead gene­ra­te company-specific and con­tex­tu­al respon­ses by acces­sing the data of the respec­ti­ve busi­ness cus­to­mer from Micro­soft Graph in real time. Copi­lot is inten­ded to be included in the Micro­soft 365 E3, E5, Busi­ness Stan­dard and Busi­ness Pre­mi­um sub­scrip­ti­ons as a paid add-on sub­scrip­ti­on in the future. The exact date is not yet known.

The data pro­tec­tion issue

Sin­ce Copi­lot requi­res an ana­ly­sis of all busi­ness data, pri­va­cy con­cerns are quick­ly being rai­sed. Pur­su­ant to Micro­soft, howe­ver, the new busi­ness model will gua­ran­tee busi­ness cus­to­mers grea­ter data pri­va­cy and data secu­ri­ty in addi­ti­on to the bene­fit of con­tex­tu­al con­tent gene­ra­ti­on. As to the use of Copi­lot, Micro­soft says it will adopt the company’s exis­ting Micro­soft 365 secu­ri­ty and pri­va­cy poli­ci­es, iso­la­te and pro­tect company-related data within the Micro­soft 365 ten­ant, and com­pa­nies are said to keep full con­trol of their own data. In addi­ti­on, the com­pa­ny data will not be used for trai­ning pur­po­ses. Moreo­ver, Micro­soft pro­mi­ses to adhe­re to the Micro­soft AI Prin­ci­ples and Micro­soft Respon­si­ble AI Stan­dards. It remains to be seen how the­se pro­mi­ses will be con­trac­tual­ly backed. Howe­ver, sin­ce Copi­lot will be part of the Micro­soft 365 pro­duct fami­ly, the exis­ting data pro­tec­tion and com­pli­ance obli­ga­ti­ons will also be rele­vant here, so that the Micro­soft Pro­ducts and Ser­vices Data Pro­tec­tion Adden­dum (DPA) will pro­ba­b­ly apply.

Impli­ca­ti­ons for practice

Due to the com­ple­xi­ty and the wide ran­ge of pos­si­ble usa­ges of Copi­lot, it is not pos­si­ble to make a blan­ket state­ment on its use in con­for­mi­ty with data pro­tec­tion. The spe­ci­fic use in the com­pa­ny and the cir­cum­s­tances of the indi­vi­du­al case are decisi­ve. As a new mem­ber of the Micro­soft 365 pro­duct fami­ly, Copi­lot will in all likeli­hood also encoun­ter hea­vy cri­ti­cism from the data pro­tec­tion super­vi­so­ry aut­ho­ri­ties. Howe­ver, com­pa­nies should not be deter­red by this cri­ti­cism, but should exami­ne the pos­si­bi­li­ty of a data protection-compliant use of the AI tool in the spe­ci­fic indi­vi­du­al case. The fol­lo­wing steps can be helpful:

• Com­pa­nies should ana­ly­se which con­trac­tu­al agree­ments app­ly to the use of Copi­lot and how the­se are inte­gra­ted into any exis­ting con­trac­tu­al relationships.
• Once the con­trac­tu­al basis is estab­lished, com­pa­nies should sub­ject the use of Copi­lot to a (sup­ple­men­ta­ry) data pro­tec­tion impact assess­ment, which can be used to demons­tra­te com­pli­ance with data pro­tec­tion obli­ga­ti­ons as well as the assess­ment and docu­men­ta­ti­on of risks and appro­pria­te reme­di­al measures.

Fur­ther infor­ma­ti­on is con­tai­ned in our one-pager on the data protection-compliant use of Micro­soft 365 (.pdf) and in our one-pager on data pro­tec­tion impact assess­ment (.pdf).