What is Microsoft Purview’s Communication Compliance?
Microsoft Purview Communication Compliance is an insider risk solution that is designed to help organizations detect and act on regulatory compliance and business conduct violations, such as sharing sensitive information, harassing or threatening language, and adult content. Practically, these features are being enforced bv predefined and custom policies, and designated reviewers can investigate the policy matches of those policies. According to Microsoft, these features include privacy measures like pseudonymized usernames, role-based access controls, and audit logs to ensure user-level privacy.
Designated reviewers can investigate policy matches for communication channels listed below:
- Email (Microsoft Exchange Online)
- Microsoft Teams
- Microsoft 365 Copilot
- Microsoft 365 Copilot Chat
- Viva Engage
- Third-party communications tool, such as Slack, Zoom and Instant Bloomberg
- Other additional integration capabilities via Microsoft Graph API
What regulations needs to be understood before proceeding with the implementation?
Laki yksityisyyden suojasta työelämässä – Act on the Protection of Privacy in Working Life (759/2004; amendments up to 347/2019 included)
This Act lays down provisions on the processing of personal data concerning employees, the performance of tests and examinations on employees and the related requirements, technical surveillance in the workplace, and retrieving and opening employees’ electronic mail messages.
Link to the legistlation is here.
Tietosuojalaki – Data Protection Act (1050/2018)
This Act specifies and supplements Regulation (EU GDPR) 2016/679 of the European Parliament and of the Council on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation), hereafter the Data Protection Regulation, and its national application.
Link to the legistlation is here.
Työehtosopimukset – Collective Bargaining Agreements (CBAs)
In Finland, sector-specific CBAs might contain additional rules or expectations about surveillance or employee privacy. You may need to negotiate or consult with employee representatives before launching any monitoring system – such as Microsoft Purview Communication Compliance.
This is the typical process for effective use of Communication Compliance solution.
Features that may conflict with the Finnish regulations
Monitoring of private or personal communications
Under the Finnish Act on the Protection of Privacy in Working Life, you cannot monitor personal or private communications, even on company devices. Even with a legitimate business purpose, if a system collects non-business or personal data, it may violate employee privacy rights.
Features at risk:
Communication Compliance > Policies > Channels selection
Chat communications for public and private Microsoft Teams channels and individual chats
All mailboxes hosted on Exchange Online in your Microsoft 365 organization are eligible for analyses
Viva Engage: Private messages and public community conversations in Viva Engage are supported
Third-party sources: You can check messages from third-party sources for data imported into mailboxes in your Microsoft 365 organization.
Possible mitigation methods:
Ensure monitoring applies only to official communication channels designated for work. Use data filtering or exclusion rules to avoid capturing private content (e.g., exclude messages marked as private or outside of working hours if possible). Avoid private 1:1 chats or clearly separate them from monitored workspaces. Use inclusion/exclusion filters (e.g., user groups, department-specific policies) to narrow the scope. This might be very cumbersome and long process, but as stated above – very necessary.
Use of pre-defined classifiers / Machine Learning models
Using Communication compliance classifiers may qualify as profiling or automated decision-making under GDPR Article 22. There are also a possibility for false positives and reputational harm without due process.
Features at risk:
Communication Compliance > Classifiers
Machine learning classifiers (predefined or custom) for identifying message (e.g., to detect “Offensive Language,” “Sexual Harassment,” “Threat,” or “Confidential Information”)
Possible mitigation methods:
Always include human review before any action is taken and provide avenues for employees to challenge flags. Clearly define classifier purpose and ensure legal basis (e.g., for workplace safety or regulatory compliance). Exclude classifiers for casual or inappropriate language.
This feature listing will continue in the next blog post. It’s now available here.
Disclaimer
The content of this blog is provided for informational purposes only and reflects the author’s professional perspective as a security and compliance consultant. It is not intended as legal advice.
While every effort has been made to ensure accuracy and relevance—especially in relation to Finnish data protection, labor, and workplace privacy regulations—the author is not a lawyer and this content should not be relied upon as a substitute for qualified legal counsel. Organizations planning to implement Microsoft Purview Communication Compliance or similar technologies are strongly encouraged to consult with legal professionals experienced in Finnish legistlation, and sector-specific regulations before taking action.
Share this post:
Leave a Comment