Recent research by SURF has revealed major privacy risks associated with Microsoft 365 Copilot, leading the organization to recommend educational and research institutions avoid using the AI tool for now.
A comprehensive Data Protection Impact Assessment (DPIA) conducted in 2024 by SURF and Privacy Company experts identified several concerning issues with the generative AI assistant. The assessment focused specifically on usage patterns among employees and adult students, as Microsoft currently restricts paid education licenses for minors.
The investigation uncovered a troubling lack of transparency from Microsoft regarding data collection and storage practices for Copilot. Users attempting to access their personal data receive incomplete and unclear information about how their information is being handled.
Another key finding highlights the tool's tendency to generate inaccurate and partial personal data. The assessment noted that users often place excessive trust in the AI system, potentially leading them to work with incorrect information without realizing it.
While SURF maintains ongoing discussions with Microsoft to address these issues, the organization determined that the current privacy safeguards remain insufficient. Until Microsoft implements adequate protective measures, SURF strongly advises educational and research institutions to suspend their use of Microsoft 365 Copilot.
The complete findings from the DPIA have been made public by SURF for transparency. The organization has committed to keeping member institutions informed of any developments as they continue working with Microsoft to resolve these privacy concerns.