Data pro­tec­tion with Micro­soft 365 Copilot

Let arti­fi­ci­al intel­li­gence (AI) do the work in the com­pa­ny? What has sound­ed like sci­ence fic­tion so far, Micro­soft wants to make pos­si­ble in the future. With Micro­soft 365 Copi­lot, Micro­soft will offer its busi­ness cus­to­mers a paid-for AI tool in the future. We will explain below what impact Copi­lot will have on data protection.

Micro­soft 365 Copilot

Micro­soft 365 Copi­lot is a new AI solu­ti­on from Micro­soft, that will be imple­men­ted in Micro­soft 365 to help busi­nesses opti­mi­se their per­for­mance. Copi­lot inte­gra­tes lar­ge AI lan­guage models, known as Lar­ge Lan­guage Models (LLMs), which are based on lar­ge amounts of text data and used to gene­ra­te text-based con­tent, into Micro­soft 365 apps and the Micro­soft Graph appli­ca­ti­on. Based on the afo­re­men­tio­ned approach, the spe­cial fea­ture of Copi­lot is said to be that the LLMs do not gene­ra­te con­tent based on arbi­tra­ry data sources as is usual­ly the case, but ins­tead gene­ra­te company-specific and con­tex­tu­al respon­ses by acces­sing the data of the respec­ti­ve busi­ness cus­to­mer from Micro­soft Graph in real time. Copi­lot is inten­ded to be included in the Micro­soft 365 E3, E5, Busi­ness Stan­dard and Busi­ness Pre­mi­um sub­scrip­ti­ons as a paid add-on sub­scrip­ti­on in the future. The exact date is not yet known.

The data pro­tec­tion issue

Sin­ce Copi­lot requi­res an ana­ly­sis of all busi­ness data, pri­va­cy con­cerns are quick­ly being rai­sed. Pur­su­ant to Micro­soft, howe­ver, the new busi­ness model will gua­ran­tee busi­ness cus­to­mers grea­ter data pri­va­cy and data secu­ri­ty in addi­ti­on to the bene­fit of con­tex­tu­al con­tent gene­ra­ti­on. As to the use of Copi­lot, Micro­soft says it will adopt the company’s exis­ting Micro­soft 365 secu­ri­ty and pri­va­cy poli­ci­es, iso­la­te and pro­tect company-related data within the Micro­soft 365 ten­ant, and com­pa­nies are said to keep full con­trol of their own data. In addi­ti­on, the com­pa­ny data will not be used for trai­ning pur­po­ses. Moreo­ver, Micro­soft pro­mi­ses to adhe­re to the Micro­soft AI Prin­ci­ples and Micro­soft Respon­si­ble AI Stan­dards. It remains to be seen how the­se pro­mi­ses will be con­trac­tual­ly backed. Howe­ver, sin­ce Copi­lot will be part of the Micro­soft 365 pro­duct fami­ly, the exis­ting data pro­tec­tion and com­pli­ance obli­ga­ti­ons will also be rele­vant here, so that the Micro­soft Pro­ducts and Ser­vices Data Pro­tec­tion Adden­dum (DPA) will pro­ba­b­ly apply.

Impli­ca­ti­ons for practice

Due to the com­ple­xi­ty and the wide ran­ge of pos­si­ble usa­ges of Copi­lot, it is not pos­si­ble to make a blan­ket state­ment on its use in con­for­mi­ty with data pro­tec­tion. The spe­ci­fic use in the com­pa­ny and the cir­cum­s­tances of the indi­vi­du­al case are decisi­ve. As a new mem­ber of the Micro­soft 365 pro­duct fami­ly, Copi­lot will in all likeli­hood also encoun­ter hea­vy cri­ti­cism from the data pro­tec­tion super­vi­so­ry aut­ho­ri­ties. Howe­ver, com­pa­nies should not be deter­red by this cri­ti­cism, but should exami­ne the pos­si­bi­li­ty of a data protection-compliant use of the AI tool in the spe­ci­fic indi­vi­du­al case. The fol­lo­wing steps can be helpful:

  • Com­pa­nies should ana­ly­se which con­trac­tu­al agree­ments app­ly to the use of Copi­lot and how the­se are inte­gra­ted into any exis­ting con­trac­tu­al relationships.
  • Once the con­trac­tu­al basis is estab­lished, com­pa­nies should sub­ject the use of Copi­lot to a (sup­ple­men­ta­ry) data pro­tec­tion impact assess­ment, which can be used to demons­tra­te com­pli­ance with data pro­tec­tion obli­ga­ti­ons as well as the assess­ment and docu­men­ta­ti­on of risks and appro­pria­te reme­di­al measures.

Fur­ther infor­ma­ti­on is con­tai­ned in our one-pager on the data protection-compliant use of Micro­soft 365 (.pdf) and in our one-pager on data pro­tec­tion impact assess­ment (.pdf).


Stay up-to-date

We use your email address exclusively for sending our newsletter. You have the right to revoke your consent at any time with effect for the future. For further information, please refer to our privacy policy.