Many of our users have long relied on Outlook as their email client, but recent changes to how data is managed raise important privacy and control concerns. While the interface may look familiar, Microsoft has fundamentally changed how the new Outlook works behind the scenes — including how your emails are stored and accessed. In this article, we look at what’s changed and why you might want to consider other options.
What Changed?
In the new version of Outlook (starting with the 2023 rollout and continuing into September of 2024), the email client, or app, no longer connects directly to your email provider such as Runbox, Gmail, or Yahoo. Instead, Microsoft’s own cloud service now logs in to your email account on your behalf. Your details are stored on Microsoft’s cloud servers — not just on your device.
Traditionally, in Outlook 2007, 2010, 2013, 2016 and 2019, Microsoft just provided the tool. Outlook would log in directly to Runbox (or other email services) using the credentials you gave it. The connection was between your device and Runbox, via POP or IMAP and SMTP.
The new Outlook acts more like a middleman, and the app is now more like a web-based client than a traditional desktop program. It no longer logs directly in to the Runbox servers, but rather uses a web connection (HTTPS) via Exchange Web Services (EWS) or Outlook Web Access (OWA). This means that Microsoft’s own cloud service logs in to your email account, stores a copy of your emails, and then delivers that data to your Outlook app.
Most Microsoft programs and apps are now hosted and stored on their Azure infrastructure, including the new Outlook. Note that the classic version of Outlook can be used without Azure when configured via POP/IMAP or Exchange Server.
We think this presents a privacy issue, because your email and your authentication details are being stored by Microsoft.
Why Did Microsoft Do This?
According to Microsoft, this new system improves performance, and creates a unified, modern experience across all platforms. The web-based interface integrates better with Microsoft 365 services, where emails, documents, and collaboration tools are stored and accessed through Microsoft’s cloud infrastructure.
Microsoft can more easily collect and analyze usage data, helping them better understand how users interact with Outlook. This allows them to make improvements, troubleshoot issues, and tailor the product based on user behavior.
Many users didn’t realize that switching to the new Outlook meant changes to the way the new Outlook functions, and that all their emails – no matter the provider – would be routed through and stored on Microsoft’s own cloud servers.
This Raises Privacy Concerns
Emails stored in the cloud: Outlook stores OAuth credentials (a secure authorization protocol) so it can fetch your emails. OAuth lets the app access your data without needing your actual password. Instead of sharing your password, the app gets tokens, which act like digital keys.
Access tokens are short-lived and usually valid for minutes to an hour, and lets the app access your account’s data and emails, which are then stored and cached in Microsoft’s cloud. Refresh tokens are longer-lived, and are used to get access when the old one expires.
Broad permission: Users implicitly give Microsoft permission to process and access data, and there isn’t always a clear statement about what data is collected and processed, when, or by whom. This raises concerns, especially for businesses, where sensitive data could be exposed without their knowledge.
Legal and data jurisdiction issues: Depending on where Microsoft stores your data, it could be subject to different laws. Even if Microsoft claims that your data is stored on servers in the EU, data may still be subject to US jurisdiction and surveillance laws (Cloud Act). They might also duplicate or relocate data for redundancy and performance reasons as well, and store that data elsewhere.
No clear way to disable it: Users aren’t given an easy option to go back to direct server connections. Users have limited control in the new Outlook over whether connections are made directly to external mail providers or routed through Microsoft. Standardized POP/IMAP-style configurations are generally unsupported in new Outlook.
AdTech: Microsoft now shows ads in the free version of Outlook that look like regular emails. They appear at the top of your inbox and, despite being labeled as “ads,” can be easily mistaken for real messages. Microsoft has partnered with Taboola to sell and display ads across several services, such as MSN.com, Microsoft Outlook, Games, and the broader Office Suite.
Free vs Paid version: Both the free and paid versions of Microsoft Outlook store emails, images and attachments in the cloud, as part of Microsoft’s cloud-based infrastructure. This means that your messages are hosted on Microsoft’s servers rather than solely on your device.
Compliance with GDPR
Microsoft publicly states that it complies with the General Data Protection Regulation (GDPR) — the EU’s strict data privacy law — across all its services, including Outlook, Office 365, Azure, Xbox and more.
They’ve taken steps such as creating a EU Data Boundary to ensure that personal data of EU customers using Microsoft cloud services are stored and processed within the European Union.
Microsoft offers data subject rights tools, so users and organizations can request data access, deletion, or correction. They provide Data Protection Agreements (DPAs) for business customers, and has appointed a Data Protection Officer.
But There’s a Catch
There is no guarantee that emails or authentication data are stored or processed within the EU.
The EU Boundary applies primarily to enterprise accounts, and personal accounts are not clearly included. Microsoft may replicate data across regions for performance and redundancy.
Microsoft may store or move your data across regions, making it subject to various laws, including US surveillance under the Cloud Act – even if it is also hosted in the EU.
If you’re using the new Outlook app and connecting to your Runbox account, Microsoft may still process your data through systems not fully covered by the EU Data Boundary.
Personal Microsoft accounts are not guaranteed to be covered by the boundary. According to Microsoft’s official documentation:
“The EU Data Boundary is a geographically defined boundary within which Microsoft has committed to store and process Customer Data and personal data for our Microsoft enterprise online services, including Azure, Dynamics 365, Power Platform, and Microsoft 365.”
This implies that the EU Data Boundary applies to enterprise services, and personal Microsoft accounts are not necessarily covered under this commitment.
What Can You Do?
Use Runbox Webmail: Cut out the middleman completely, and use Runbox webmail. This offers several practical benefits, especially in terms of simplicity, privacy, and control. Your emails are always quickly available and accessible, there is no need to sync anything. There is less metadata exposure because you are only using Runbox. You can use 2FA to secure your account, and you avoid app permissions and integration risks.
Use a different email client: If you want to use a client, apps like Thunderbird, Apple Mail and others still use traditional connections and log directly in to Runbox servers. Runbox supports IMAP and POP so you can connect easily.
Stick to the older versions of Outlook, which are connected directly and not through Microsoft’s cloud.
Be cautious with third-party accounts in Outlook: Especially if you’re adding sensitive work related or personal email accounts.
Final Thoughts
The way the new Outlook version works raises some privacy concerns, with less control over your data and more reliance on Microsoft’s cloud. Our aim with this article is to ensure our users have the information they need to make an informed decision about their data privacy and security.
There are other transparent alternatives out there – we have some of them listed here: Recommended Email Programs. And please reach out to us if you have other suggestions.