How can M365 Copilot be understood in light of data protection regulations?
We begin by highlighting some key concepts and terms from data protection legislation that we believe are important to keep in mind when considering implementing and using M365 Copilot in your organisation. We hope this will help to avoid misunderstandings from the start that could lead to consequential errors.
Key concepts and terms
| Personal data |
This is defined in Article 4(1) GDPR as ‘any information relating to an identified or identifiable natural person’. Even if a piece of information about someone is incorrect, for example when a large language model has generated a fact about an individual that is wrong, it counts as (incorrect) personal data. The same applies to predictions and assumptions about a person. |
| The data subject | An identified or identifiable natural person (Article 4(1) GDPR). In other words, it is the individual to whom information can be linked. |
| Erasure and accuracy |
Every reasonable step must be taken to ensure that personal data that are incorrect, having regard to the purposes for which they are processed, are erased or rectified without delay, in accordance with the accuracy principle (Article 5(1)(d) GDPR). This means that users must be adequately trained, and NTNU must have procedures in place to reduce the risk of M365 Copilot generating incorrect personal data. If this nevertheless happens, the personal data must be erased or rectified without delay. |
| Processing |
Article 4 (2) GDPR defines processing as ‘any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as (…)’. The legislator has deliberately given the term ‘processing’ a wide scope. This is evident both from the term ‘any operation’ and from the non-exhaustive nature of the definition, made clear by the use of ‘such as’. Any processing of data must have a legal basis pursuant to Article 6 GDPR. To determine the correct legal basis, the purpose of the processing and which personal data are to be processed must first be clarified. Which specific processing operations will take place must also be identified before the legal basis can be assessed and selected. In addition, if special categories of personal data are to be processed, a valid exception to the prohibition in Article 9 must be identified. ‘M365 Copilot in the operational phase’ or ‘introduction of M365 Copilot’ is not a specific processing operation. |
| Purpose of the processing and the purpose limitation principle |
‘Purpose’ is the very cornerstone of the GDPR. The purpose is the reason why a processing operation takes place, and it is the purpose that sets the limits for which personal data are to be processed and how. The GDPR states that personal data shall be collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes (Article 5(1)(b)). In the context of M365 Copilot, the terms ‘specified’ and ‘explicit’ are especially important. The purpose must be determined at the time of collection of the personal data at the latest, unless a new purpose is compatible with the original purpose pursuant to Article 6(4) GDPR. It is necessary to look at the purpose in order to comply with, among other things, the data minimisation principle, where personal data must be adequate, relevant and limited to what is strictly necessary to achieve the purpose. |
| The data minimisation principle |
The data minimisation principle means that personal data must be adequate, relevant and limited to what is necessary for the purposes for which they are processed. It is therefore necessary to consider the purpose (which should already be identified in line with the purpose limitation principle) when assessing which and whose personal data are adequate, relevant and necessary to achieve the purpose. |
| Recipient |
The concept is defined in Article 4(9) GDPR as ‘a natural or legal person, public authority, agency or another body, to which the personal data are disclosed, whether a third party or not.’ M365 Copilot can easily be personified, because it poses as a natural person through the way it answers. This can lead to an incorrect way of thinking when the tool is assessed from a data protection perspective and can lead to consequential errors in subsequent assessments. For example, M365 Copilot is not a ‘recipient’ within the meaning of the GDPR. |
| Records of processing activities |
Each data controller is obliged to maintain a record of its processing activities, including the purposes of the processing, as well as which and whose personal data are processed to achieve the purpose (Article 30 GDPR). The information in the record of processing activities largely coincides with what the data subjects must be informed about. Some new processing activities will inevitably follow from the introduction of M365 Copilot, such as logging interactions (the content of interactions log). New processing activities must be recorded in the record of processing activities and the data subject must be informed in accordance with Article 13 GDPR. |
Map and describe the processing
The provisions of the GDPR relate to ‘processing’ of personal data, as defined in Article 4(2) GDPR (see above). M365 Copilot is not in itself a processing operation, but a tool or set of functions – i.e. the ‘means’ – that can be used to process personal data in many different ways and for different purposes. However, the predefined purpose, and what is necessary to achieve this purpose, limits which personal data can be processed and in what way.
Need for mapping
The first thing to do is therefore to map and describe the processing that will take place if M365 Copilot is used in connection with a specific purpose, i.e. from when a prompt is entered into M365 Copilot until it generates an answer. Often one will want to use M365 Copilot in connection with processing that is already taking place, and by mapping what is new when taking M365 Copilot into use, you will be able to compare the ‘old’ processing and the ‘new’ processing, and then identify the new processing operations (‘set of operations’) that may or will occur.
Advantages of systematic description
A systematic description of the ‘new’ processing offers several advantages.
- Choice of legal basis: It will be possible to determine which legal basis is most suitable for the processing.
- Assessment of necessity and proportionality: A comparison between the old and new processing helps to assess the need for and the proportionality of the new processing.
- Risk mitigation: It will be possible to identify what technical or organisational measures should be put in place to mitigate risk, for example by having specific guidelines or procedures for effective prompt design, by changing what kind of access a particular user role should have, or by turning available settings on or off in M365 Copilot.
NTNU's use cases
NTNU looked at three selected use cases in the sandbox project (NTNU’s findings report, pp. 43–51). However, they deliberately chose not to consider them in their DPIA. Instead, they look at the product at higher level. NTNU should specify and describe each new processing operation that will take place when M365 Copilot is used.
The record of processing activities may be an appropriate place to start. More information about systematic descriptions of processing can be found in the Norwegian Data Protection Authority’s DPIA checklist (in Norwegian only).
Often, several processing operations are carried out with personal data for one specific purpose. When a case officer is processing an application for admission to a study programme and must respond to an enquiry, they can first look for relevant information in the databases they have access to. This may include previous correspondence with other applicants about similar enquiries, previous decisions or internal guidelines. Such searches involve the processing of personal data, the results of which may contain both relevant and irrelevant information and personal data. It is the case officer who decides what is relevant and what they want to use going forward.
Automatic and "hidden" processing operations
One of the innovations with M365 Copilot is that such processing operations are done automatically, and the content is summarised and made available in a different format than before. It is not a given that this entails a new processing operation, but it must be considered. For example, if more personal data are processed or personal data are collated in a different way when M365 Copilot is used in connection with the task, it is important to identify and describe these new processing operations.
| Example: |
In use case A, the task does not necessarily involve the processing of personal data without the use of M365 Copilot. By using M365 Copilot, information about the user and possibly others may be processed because M365 Copilot will look for and use information it finds in ‘nearby documents’ (emails, chats, calendar invitations etc.) to enrich prompts and create outputs that are more relevant to the user. The scope of personal data that can be processed will depend on the individual user’s access control, and may also be affected by the M365 Copilot settings (for example, by turning off ‘Graph-grounded chat’) or by the use of ‘prompt engineering’ (i.e. how the prompt is designed). The purpose of the processing can be described as helping the user to write report more effectively. This can be considered a completely new processing operation, for a purpose that did not exist before M365 Copilot was used in connection with the task. |
| Example: |
In use case B, the task involves the processing of personal data without the use of M365 Copilot, and should already be described in the record of processing activities. This may be described as follows: The purpose of keeping minutes of internal meetings is to document internal decisions made in the organisation. The meeting participants’ names, roles and (a summary of) what was said in the meeting are recorded in writing and stored in a place where those who have an objective need for it have access. When using M365 Copilot, new processing operations will take place in the form of recording and transcribing the meeting that will involve the processing of more personal data than before, such as voice, tone of voice, form of expression, gender (assumption from voice), as well as (personal) data that M365 Copilot finds when looking for ‘nearby documents’. In addition, the optional settings can influence what other processing operations take place (e.g. an overview of who is talking, when and for how long). |
| Example: |
In use case C, the task involves the processing of personal data also without the use of M365 Copilot, and the processing should already be described in the records of processing activities. The purpose of the processing is to process applications for admission to a study programme. The case officer must assess whether all the necessary information is included in the application and respond to the enquiry as part of the case processing. Personal data received in the email are used to assess whether all the required information has been received. When using M365 Copilot, new processing operations may take place, but this must be considered in relation to how applications are currently processed, including any existing processing activities related to, for example, searches. It is important to investigate whether the scope of personal data processed will be expanded. Information about the applicant, the user and possibly others may be processed because M365 Copilot will look for and use information it finds in ‘nearby documents’ (emails, chats, calendar invitations etc.) to enrich prompts and create outputs that are more relevant to the user, such as a tailored answer directed at the applicant but similar to answers given to previous applicants. In addition, the optional settings can affect what other processing operations take place (e.g. by turning off ‘Graph-grounded chat’), or by using ‘prompt engrineering’ (i.e. how the prompt is designed). |
It is also important to consider new processing operations that will occur regardless of the task for which M365 Copilot is used, such as the content of interactions log and, if relevant, profiling of the user, which may occur for other, new purposes.
Assess the legal basis
According to Article 6 GDPR, the processing of personal data is only lawful if one of the conditions set out in (1) (a) to (f) are met. In its DPIA, NTNU has described that it is difficult to define one or more clear and distinct purposes for using M365 Copilot. NTNU concludes that the legal basis for ‘M365 Copilot in operational phase’ is legitimate interest pursuant to Article 6(1)(f) GDPR. It is important for us to point out that this is not in line with the GDPR because ‘M365 Copilot in the operational phase’ does not constitute ‘processing operation’. M365 Copilot can be used as a means of performing many different processing operations for different purposes with different legal bases.
It is important to know what legal basis can be applied for each planned processing operation preferably before the DPIA stage, and at least before using M365 Copilot. If special categories of personal data are going to be processed, such processing must be based on one of the exemptions listed in Article 9. When the same personal data are processed for different purposes, the processing for each of those purposes must have a legal basis.
If it concerns an existing processing operation, the conditions of the original legal basis must be reassessed, based on the description of the new processing operations.
What is necessary?
All alternatives in Article 6(1) (b) to (f) GDPR contain a condition that ‘processing [of personal data] is necessary’ (our emphasis). The necessity condition will be met if the purpose of the processing cannot reasonably be achieved as effectively by other means that are less restrictive of the rights and freedoms of data subjects.
The necessity condition must be interpreted restrictively, as it allows the processing of personal data without the data subject’s consent. Necessity must also be considered in the context of the data minimisation principle set out in Article 5 (1)(c) GDPR, which requires personal data to be adequate, relevant and limited to what is necessary for the purposes for which they are processed. The data minimisation principle is an expression of the proportionality principle. Among other things, proportionality requires that the benefits of restricting a right are not outweighed by the disadvantages of exercising that right.
We discuss the importance of the necessity condition in the context of Article 6(1) (e) and (f) GDPR below.
Efficiency and necessity
In some Norwegian legal sources, it has been argued that effective case management in public administration can be regarded as a ‘substantial public interest’ under Article 9(2)(g) GDPR. In our view, effectiveness may in some cases be interpreted as being a part of a purpose based on Article 6(1)(e) GDPR. This may be relevant for NTNU as a public institution.
NTNU’s assessment of the necessity condition under Article 6(1)(e) should, among other things, take the following into account:
- Is M365 Copilot suitable to achieve NTNU’s purpose in a better way?
- To what extent will NTNU be better placed to achieve the purpose of the processing if M365 Copilot is used?
- Are there any other ways that NTNU can reasonably achieve the purpose just as well?
- How much more restrictive are the new processing operations for the data subjects’ rights and freedoms?
- Can NTNU implement any measures to make processing with Copilot less invasive?
If it is not possible to assess whether the necessity condition is met at this stage, it may be considered at the DPIA stage where the following are considered: ‘the necessity and proportionality of the processing operations in relation to the purposes’, ‘an assessment of the risks to the rights and freedoms of data subjects’ and which measures can be implemented to manage the risks and ensure the protection of personal data (Article 35(7) GDPR).
If the necessity condition cannot be met, even after measures identified in the DPIA are implemented, M365 Copilot cannot be used for the applicable processing.
For processing currently performed by NTNU for a purpose it has decided itself and which is based on the pursuit of a legitimate interest pursuant to Article 6(1)(f) GDPR, NTNU may consider including efficiency as a legitimate interest it wishes to pursue. The Court of Justice of the European Union has stated that making a service more efficient cannot be ruled out as a legitimate interest. However, this will often involve adjusting the purpose of the processing and expanding which processing operations are necessary to achieve the legitimate interests.
This is, however, contingent on:
- the processing not being carried out by public authorities in the performance of their tasks (Article 6(1) second subparagraph GDPR);
- the new purpose being compatible with the original purpose if, as will often be the case, the personal data to be processed were collected for another purpose (Article 6(4) GDPR);
- NTNU conducts a new, updated balancing of interests’ assessment that falls in NTNU’s favour; and
- NTNU complies with all the other obligations in the GDPR.
If one of the above conditions cannot be met, even after measures identified in the DPIA are implemented, M365 Copilot cannot be used for the applicable processing.
For processing for a new purpose, NTNU must be able to identify a legal basis for the processing in the usual manner.
Use of consent
In order for NTNU to use consent as a legal basis for processing, it must be voluntary, specific, informed and unambiguous. In the context of M365 Copilot, this means, among other things, that NTNU must be able to clearly explain to the data subject how personal data are to be processed when M365 Copilot is used, thus ensuring foreseeability for the data subject. This may be difficult, especially if the data subject has little knowledge of generative AI and how M365 Copilot works. The power imbalance between NTNU and the individual must also be assessed. For example, public authorities or employers will normally not be able to use consent as a legal basis for processing since the data subject is in a dependent relationship.
This does not mean that the use of consent as a legal basis for processing can be completely ruled out in relation to Microsoft 365 Copilot, but whether the consent conditions can be met must be considered specifically per use case and its associated processing operations. There may also be cases in employee-employer relationships where the employer can demonstrate that consent is voluntary, with no disadvantage to the employee if they do not consent to the processing. It is also important to remember that a data subject can only consent to the processing of their own personal data, while the use of Copilot may often involve the processing of several people’s data, even if the input or output only concerns one person.
Careful consideration must therefore be given to whether consent is an appropriate legal basis in light of the individual processing operation in question, and whether the conditions for consent can be met.