What you need to know about privacy and security June 2026<\/em><\/p>\n Short answer: Yes, technically it is possible.<\/strong><\/p>\n If you're using Outlook, Exchange, or Microsoft 365, your emails are on Microsoft servers. In theory, they have access. This is how it works:<\/p>\n Automatic scans<\/strong> Microsoft scans all emails with Defender for Office 365 to prevent spam, malware and phishing. According to their own documentation, sometimes employees also look for security screening.<\/p>\n AI access via Copilot<\/strong> The AI Assistant Copilot in Microsoft 365 has access to your entire mailbox by default, unless you disable it. Copilot can summarize, search and analyze emails.<\/p>\n CLOUD Act<\/strong> This law gives U.S. authorities the right to request data from U.S. companies such as Microsoft regardless of where that data is located. So even if your emails are in a European data center, the US can claim them. The CLOUD Act is not the only law that makes this possible. Since the 1980s, U.S. laws such as the Stored Communications Act and FISA have given the government these powers.<\/p>\n Customer Lockbox<\/strong> For companies that use Microsoft 365, Customer Lockbox exists: Microsoft employees can access data only with the customer's consent. But this does not apply if the U.S. government gives an order.<\/p>\n Microsoft says it doesn't read emails by default. People only watch in exceptional cases, for example for security screening or if the law requires it.<\/p>\n But in practice it has happened:<\/p>\n In May 2026, it emerged that Microsoft had passed internal documents including emails, minutes, and invitations to a U.S. commission. Therein stood the Names and contact details of Dutch civil servants<\/strong> ACM and the Dutch Data Protection Authority (Autoriteit Persoonsgegevens), which are working on the European Digital Services Act (DSA).<\/p>\n The U.S. Commission had forced Microsoft to share these documents through a subpoena. Microsoft complied, but is not going to anonymize the personal data.<\/p>\n State Secretaries Aerdts (Digital Affairs) and Van der Burg (Home Affairs) called it extremely worrying.<\/p>\n Sources: Free Netherlands<\/a>, NIS<\/a>, Domestic governance<\/a><\/em><\/p>\n In February 2026, Microsoft discovered an error in Copilot: AI could read and summarize confidential emails, even if they were marked as confidential<\/strong> and should be beyond the reach of Copilot.<\/p>\n The bug was active from January 21, 2026. As a result, Copilot was able to view emails in the Concepts and Sent Items folders, including messages with security tags.<\/p>\n Sources: TechCrunch<\/a>, CyberNews<\/a><\/em><\/p>\n In 2025, Microsoft officially confirmed: Under the CLOUD Act, they must provide customer data to U.S. authorities if there is a legal order for this regardless of where that data is located.<\/p>\n So even if your emails are in a European data center, the US can claim them because Microsoft is an American company.<\/p>\n Sources: Dutch Cloud Community<\/a>, Intermax<\/a><\/em><\/p>\n A study by Privacy Company (commissioned by Justice and SURF) revealed risks in the use of Microsoft Teams, OneDrive and SharePoint by government and universities.<\/p>\n Microsoft collected diagnostic data about individual use: who calls or chats with whom, which documents are opened, etc. These risks remained even after agreements on privacy.<\/p>\n The report concluded that Microsoft needs to make more adjustments. If European regulators assess the risks even higher, Dutch organisations may no longer be allowed to use US cloud services at all.<\/p>\n Source: Security.NL<\/a><\/em><\/p>\n In 2020, Microsoft was sued for allegedly sharing customer data including emails, calendars and documents with third parties such as Facebook via Microsoft 365. Even if neither the customer nor their contacts had a Facebook account.<\/p>\n Microsoft denied and said it has robust privacy protections. But the case shows that customer data can reach commercial third parties in a non-transparent way.<\/p>\n Source: AlternativeTo\/The Register<\/a><\/em><\/p>\n Anthropic AI models enforced by US (June 2026)<\/strong> In 2026, the U.S. government forced access to the AI models and customer data of Anthropic, a leading AI company. This shows that not only traditional cloud data, but also the most advanced AI systems are subject to U.S. legal coercion. For European users, this means that their interactions with these systems can also fall into the hands of US authorities.<\/p>\n Trump and the CLOUD Act: Decades of Legislation in Action<\/strong> What Trump is doing is no surprise. The CLOUD Act (2018) is just the latest in a long line of U.S. laws that empower the government to demand data from U.S. companies. Since the 1980s, laws such as the Stored Communications Act (1986) and the Foreign Intelligence Surveillance Act (FISA, 1978) have given the U.S. government this possibility. Under the Trump administration (2017-2021), these powers were actively and reluctantly used to request data from tech companies. This is not a new policy, but a Decades of Existing Practice<\/strong> This is something that every American president can and will do.<\/p>\n FISA Court and mass data collection<\/strong> The Foreign Intelligence Surveillance Court (FISA Court) issues thousands of data collection orders every year. In 2023, it was revealed that Microsoft is one of the most appropriate companies for FISA requests. This not only concerned specific suspects, but also mass data collection that unintentionally grabs European citizens.<\/p>\n Executive Order 12333 (1981)<\/strong> This executive order, signed by President Reagan in 1981, gives U.S. intelligence agencies the authority to intercept foreign communications. Under this order, data from European citizens was also collected through US tech companies. Trump did not introduce these powers, but he actively used them during his term in office.<\/p>\n Conclusion: a structural problem<\/strong> These examples show that it is not a question of whether the US can access your data, but when. Every U.S. president, whether Biden, Trump or a future leader, has the legal authority and resources to demand data from U.S. tech companies. For the Netherlands and Europe, this means structural vulnerability<\/strong> It cannot be solved by technical measures alone.<\/p>\n LinkedIn fine in Ireland (2022)<\/strong> LinkedIn, owned by Microsoft, was fined \u20ac4.5 million by the Irish regulator DPC for leaking personal data of 500 million users. Among these users were also many Europeans, including Dutch.<\/p>\n Microsoft 365 banned in German schools (2022-2024)<\/strong> Several German states, including Hessen and Baden-W\u00fcrttemberg, banned the use of Microsoft 365 in schools because it did not comply with the GDPR. The reason: The data could be accessed by US authorities through the CLOUD Act, and Microsoft could not guarantee that European data would remain in Europe.<\/p>\n Fine in France (2022)<\/strong> French regulator CNIL fined Microsoft \u20ac60 million for installing cookies on French users' devices without their consent. This includes Windows 10 users.<\/p>\n Denmark suspends Microsoft 365 (2023)<\/strong> The Danish government suspended the use of Microsoft 365 in some public administrations after a risk analysis. The reason: The CLOUD Act made it impossible to guarantee that sensitive government data would not come into the hands of US authorities.<\/p>\n Research in Italy (2023)<\/strong> The Italian regulator Garante launched an investigation into Microsoft because data from Italian users was shared with third parties without permission. This concerned in particular the sharing of telemetry data with advertising networks.<\/p>\n Alerts from the Dutch AP (2023-2026)<\/strong> The Dutch Data Protection Authority has repeatedly warned against the use of Microsoft 365 in Dutch healthcare and government. In 2023, the AP published a manual highlighting that standard Microsoft 365 does not meet the requirements for processing special personal data, such as health data.<\/p>\n Schrems II ruling (2020 and consequences)<\/strong> Following the European Court of Justice's Schrems II ruling in 2020, which invalidated the Privacy Shield, the standard contractual clauses turned out to be insufficient for data transfers to the US. Microsoft was named as one of the companies that this caused major problems for European customers. Many Dutch organizations had to review their contracts with Microsoft or look for alternatives.<\/p>\n PRISM programme (2013, but still relevant)<\/strong> Microsoft was one of the first companies to participate in the NSA's PRISM program, unveiled by Edward Snowden in 2013. Data from European users, including Dutch, were shared with the US intelligence services. Although this has been around for some time, it remains an important reason for distrust of Microsoft's handling of European data.<\/p>\n If a practitioner sends an appointment confirmation via standard Microsoft email, it touches several rules:<\/p>\n Yeah, yeah.<\/strong> Even without a diagnosis or complaint, an appointment with a practitioner already reveals information:<\/p>\n According to the GDPR, health data is personal data related to physical or mental health. An appointment confirmation is included, even if there are no medical details in it.<\/p>\n The KNMG confirms: Medical-content information can also be derived from the fact that communication has been made to or from a certain e-mail address (such as psychiater@psychiater.nl).<\/p>\n GDPR (General Data Protection Regulation):<\/strong><\/p>\n Medical professional secrecy (BIG Act, Civil Code, Criminal Law):<\/strong><\/p>\n KNMG Directive:<\/strong><\/p>\n Only use ordinary e-mail if there is no confidential personal data in your e-mail (or the attachment). Use otherwise secure email.<\/p><\/blockquote>\n Medical professional secrecy takes precedence over the GDPR: first you have to check whether you do not violate professional secrecy, then only if you comply with the GDPR.<\/p>\n No, not in most cases.<\/strong><\/p>\n Sending an appointment confirmation via standard Microsoft email (without additional security) is a violation of:<\/p>\n Exceptions:<\/strong><\/p>\n Additional risk with Microsoft:<\/strong> Under the CLOUD Act and other U.S. laws, the U.S. government can force Microsoft to issue e-mails even if they are in Europe. This makes standard Microsoft email extra insecure for medical communication. It is not a question of whether this can happen, but when it will happen.<\/p>\n The KNMG and the AVG Helpdesk for Care are clear: use secure e-mail (end-to-end encrypted) or a care-specific messaging platform for this type of communication, not regular e-mail via a commercial cloud provider.<\/p>\n This document is based on public sources and is not legal advice. For specific questions, consult a specialist lawyer.<\/em><\/p>","protected":false},"excerpt":{"rendered":" Microsoft, email and medical professional secrecy What you need to know about privacy and security June 2026 Contents Microsoft can read your emails Does Microsoft really do that Recent incidents Medical professional secrecy and Microsoft email Sources Microsoft can read your emails Short answer: Yes, technically it is possible. If you're using Outlook, Exchange, or Microsoft 365, your emails are listed [\u2026]<\/p>","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"advanced_seo_description":"","jetpack_seo_html_title":"","jetpack_seo_noindex":false,"ocean_post_layout":"","ocean_both_sidebars_style":"","ocean_both_sidebars_content_width":0,"ocean_both_sidebars_sidebars_width":0,"ocean_sidebar":"0","ocean_second_sidebar":"0","ocean_disable_margins":"enable","ocean_add_body_class":"","ocean_shortcode_before_top_bar":"","ocean_shortcode_after_top_bar":"","ocean_shortcode_before_header":"","ocean_shortcode_after_header":"","ocean_has_shortcode":"","ocean_shortcode_after_title":"","ocean_shortcode_before_footer_widgets":"","ocean_shortcode_after_footer_widgets":"","ocean_shortcode_before_footer_bottom":"","ocean_shortcode_after_footer_bottom":"","ocean_display_top_bar":"default","ocean_display_header":"default","ocean_header_style":"","ocean_center_header_left_menu":"0","ocean_custom_header_template":"0","ocean_custom_logo":0,"ocean_custom_retina_logo":0,"ocean_custom_logo_max_width":0,"ocean_custom_logo_tablet_max_width":0,"ocean_custom_logo_mobile_max_width":0,"ocean_custom_logo_max_height":0,"ocean_custom_logo_tablet_max_height":0,"ocean_custom_logo_mobile_max_height":0,"ocean_header_custom_menu":"0","ocean_menu_typo_font_family":"0","ocean_menu_typo_font_subset":"","ocean_menu_typo_font_size":0,"ocean_menu_typo_font_size_tablet":0,"ocean_menu_typo_font_size_mobile":0,"ocean_menu_typo_font_size_unit":"px","ocean_menu_typo_font_weight":"","ocean_menu_typo_font_weight_tablet":"","ocean_menu_typo_font_weight_mobile":"","ocean_menu_typo_transform":"","ocean_menu_typo_transform_tablet":"","ocean_menu_typo_transform_mobile":"","ocean_menu_typo_line_height":0,"ocean_menu_typo_line_height_tablet":0,"ocean_menu_typo_line_height_mobile":0,"ocean_menu_typo_line_height_unit":"","ocean_menu_typo_spacing":0,"ocean_menu_typo_spacing_tablet":0,"ocean_menu_typo_spacing_mobile":0,"ocean_menu_typo_spacing_unit":"","ocean_menu_link_color":"","ocean_menu_link_color_hover":"","ocean_menu_link_color_active":"","ocean_menu_link_background":"","ocean_menu_link_hover_background":"","ocean_menu_link_active_background":"","ocean_menu_social_links_bg":"","ocean_menu_social_hover_links_bg":"","ocean_menu_social_links_color":"","ocean_menu_social_hover_links_color":"","ocean_disable_title":"default","ocean_disable_heading":"default","ocean_post_title":"","ocean_post_subheading":"","ocean_post_title_style":"","ocean_post_title_background_color":"","ocean_post_title_background":0,"ocean_post_title_bg_image_position":"","ocean_post_title_bg_image_attachment":"","ocean_post_title_bg_image_repeat":"","ocean_post_title_bg_image_size":"","ocean_post_title_height":0,"ocean_post_title_bg_overlay":0.5,"ocean_post_title_bg_overlay_color":"","ocean_disable_breadcrumbs":"default","ocean_breadcrumbs_color":"","ocean_breadcrumbs_separator_color":"","ocean_breadcrumbs_links_color":"","ocean_breadcrumbs_links_hover_color":"","ocean_display_footer_widgets":"default","ocean_display_footer_bottom":"default","ocean_custom_footer_template":"0","_jetpack_newsletter_access":"","_jetpack_dont_email_post_to_subs":false,"_jetpack_newsletter_tier_id":0,"_jetpack_memberships_contains_paywalled_content":false,"_jetpack_feature_clip_id":0,"_jetpack_memberships_contains_paid_content":false,"ocean_post_oembed":"","ocean_post_self_hosted_media":"","ocean_post_video_embed":"","ocean_link_format":"","ocean_link_format_target":"self","ocean_quote_format":"","ocean_quote_format_link":"post","ocean_gallery_link_images":"on","ocean_gallery_id":[],"footnotes":"","jetpack_post_was_ever_published":false},"categories":[25,73,32,31,61,187,23,60],"tags":[79,57,141,135,134,376,221,35,136,55,42,43,49,70,374,373,72,59,38,92,39,80,54,375,147,83,40,146,36,27],"class_list":["post-2413","post","type-post","status-publish","format-standard","hentry","category-freelance","category-nextcloud","category-persoonlijk","category-professioneel","category-spreker","category-spreker-pers","category-tech","category-trainer","tag-angst","tag-bigbadbully","tag-brief-aan-overheid","tag-cloud-act","tag-diefstal","tag-digitale-autonomie","tag-digitale-wereld","tag-focus","tag-gdpr","tag-gdpr-compliant","tag-hosting","tag-kantoor-software","tag-koerswijziging","tag-logisch","tag-medisch","tag-microsoft","tag-nextcloud","tag-onderwijs_en_meer","tag-onlogisch","tag-open-server","tag-overheid","tag-politiek","tag-privacy","tag-soeverein","tag-toondoof","tag-valvanmijnstoel","tag-verhuizen","tag-vrijheid","tag-wat-is-echt-belangrijk","tag-weg-van-big-tech","entry"],"jetpack_featured_media_url":"","jetpack_sharing_enabled":true,"_links":{"self":[{"href":"https:\/\/www.data-pro.nu\/en\/wp-json\/wp\/v2\/posts\/2413","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.data-pro.nu\/en\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.data-pro.nu\/en\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.data-pro.nu\/en\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/www.data-pro.nu\/en\/wp-json\/wp\/v2\/comments?post=2413"}],"version-history":[{"count":5,"href":"https:\/\/www.data-pro.nu\/en\/wp-json\/wp\/v2\/posts\/2413\/revisions"}],"predecessor-version":[{"id":2418,"href":"https:\/\/www.data-pro.nu\/en\/wp-json\/wp\/v2\/posts\/2413\/revisions\/2418"}],"wp:attachment":[{"href":"https:\/\/www.data-pro.nu\/en\/wp-json\/wp\/v2\/media?parent=2413"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.data-pro.nu\/en\/wp-json\/wp\/v2\/categories?post=2413"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.data-pro.nu\/en\/wp-json\/wp\/v2\/tags?post=2413"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}Contents<\/h2>\n
\n
Can Microsoft read your emails?<\/h2>\n
Does Microsoft really do that?<\/h2>\n
\n
Recent events<\/h2>\n
Names of Dutch officials leaked to US<\/h3>\n
Copilot Reads Confidential Emails<\/h3>\n
CLOUD Act: The U.S. Can Require Data<\/h3>\n
Privacy risks in education and government<\/h3>\n
Data shared with Facebook<\/h3>\n
\nVulnerability under U.S. law<\/h3>\n
\nOther cases where Microsoft handled European data insecurely<\/h3>\n
Medical professional secrecy and Microsoft email<\/h2>\n
\n
Is an appointment confirmation already confidential<\/h3>\n
\n
What the law says<\/h3>\n
\n
\n
Case law (recent)<\/h3>\n
\n
Conclusion: may or may not<\/h3>\n
\n
\n
Sources<\/h2>\n
Microsoft and email privacy<\/h3>\n
\n
DSA scandal (May 2026)<\/h3>\n
\n
CLOUD Act and U.S. law<\/h3>\n
\n
Medical professional secrecy and GDPR<\/h3>\n
\n