![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(128, 8%, 22%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EA%3C/text%3E%3C/svg%3E)
Microsoft 365 and Office | OneNote | Other | Windows
A family of Microsoft products that enable users to capture, organize, and reuse notes electronically.
This post aims to delve into the limitations of Microsoft Graph API for OneNote data portability under GDPR, including insights from Microsoft's privacy team regarding their compliance approach.
1. Complexity of Microsoft Graph API: The Graph API, while powerful, presents complexity that can be a barrier for non-technical users, complicating the process of efficiently transferring OneNote data with its original structure and format intact.
2. Incomplete Data Access with Graph API: The API doesn't fully cater to the needs of accessing all features, structures, and formatting of OneNote, an essential aspect for users who wish to maintain the integrity of their data during transfer.
3. Structural and Formatting Limitations: One of the key challenges with the API is its inability to preserve the original structure and formatting of OneNote data, vital for a seamless transition to other platforms.
4. GDPR Technical Hindrance - Reference to WP242: WP242's interpretation of GDPR Article 20(1) highlights the right to data transmission without hindrance, including technical obstacles like limited API access or interoperability. This point underscores the challenges posed by the Graph API in the context of OneNote data portability.
According to WP242 on GDPR Article 20(1), "data subjects have the right to transmit the data to another controller without hindrance from the controller to which the personal data have been provided." Hindrance is defined as "any legal, technical or financial obstacles placed by the data controller in order to refrain or slow down access, transmission or reuse by the data subject or by another data controller*.*" This includes issues like "lack of interoperability or access to a data format or API," which is particularly relevant in the context of the Graph API's limitations for OneNote data portability.
5. Comment from Microsoft's Privacy Team: Microsoft’s privacy team suggests using the .one file format for GDPR export compliance. The format is documented at [MS-ONE]: OneNote File Format | Microsoft Learn. They recommend downloading .one files as the primary method for GDPR export. Additionally, they propose using the Win32 client to open the notebook and export it from the File tab, offering options to download the entire notebook, a section, or a page.
6. Analyzing Microsoft's Suggestion: While Microsoft's response provides an alternative, it raises questions about the practicality and efficiency of these methods, especially for users seeking a straightforward and comprehensive solution for data portability.
7. Microsoft's Capabilities and the Word Export Feature: Despite Microsoft's expertise, demonstrated in their Word export feature (a ZIP file with XML data), they only offer a page-by-page export rather than a full notebook export. This limitation is surprising and falls short of what might be expected from a leading software company.
8. Expectations from Microsoft: Given Microsoft's stature as the world's largest company, one would expect a more user-friendly, efficient approach to data portability. This gap between expectation and reality not only affects user experience but also raises concerns regarding GDPR compliance.
Despite Microsoft's vast resources and leading position in the tech industry, their current tools for exporting OneNote data – notably the Microsoft Graph API and the .one file format – are not fully aligned with the expectations set by GDPR. These tools often appear complex and inadequate for ensuring that data retains its structure and format when ported, a key requirement under the GDPR's data portability clause.
The GDPR emphasizes the right of individuals to easily access and transfer their personal data in a machine-readable format, without facing technical obstacles. This right is particularly significant when considering Microsoft's enormous capabilities and influence in the technology sector. Yet, their solutions for data portability in OneNote seem to lag behind these expectations, prompting questions about their commitment to empowering users in controlling their personal data.
9. Community Feedback and Experiences: I’m interested in hearing your thoughts on Microsoft's suggestions and any personal experiences or workarounds you've found effective for OneNote data portability.
Looking forward to a fruitful discussion and your valuable input.