Microsoft’s cloud services has run into a fresh roadblock in Germany, after the state of Hesse ruled it is illegal for its schools to use Office 365 citing “privacy concerns.”
The Hesse Commissioner for Data Protection and Freedom of Information (HBDI) ruled that using the popular cloud platform’s standard configuration exposes personal information about students and teachers “to potential access by US authorities.”
In declaring that Windows 10 and Office 365 is not compliant with EU General Data Protection Regulation (GDPR) for use in schools, this development ends years of debate over whether “schools can use Microsoft’s Office 365 software in compliance with data protection regulations.”
The heart of the issue concerns the telemetry information sent by Windows 10 operating system and the company’s cloud solution back to the US.
This information can include anything from regular software diagnostic data to user content from Office applications, such as email subject lines and sentences from documents where the company’s translation or spellchecker tools were used.
Collection of such information is a violation of GDPR laws that came into effect last May.
Currently, there’s no easy way to disable the option, and Microsoft hasn’t been exactly forthcoming about the kind of data it collects. According to the HBDI, the only legal way to get around the problem is by asking consent of individual users.
But since school children cannot provide consent by themselves, the data processing is illegal under GDPR law.
Another issue that’s at stake is the physical location of the cloud itself. While Microsoft previously provided a version of these applications that stored personal information in a German data center, the ruling noted that Microsoft closed the location as of August 2018. The company, however, said it continues to operate data centers in Germany and is expanding its data center foot print in the country.
This resulted in a migration of school accounts to a European data center, where they could be accessed by US officials upon request.
Pointing out that the use of cloud applications in itself is not the problem as long as pupils’ consent and the security of the data processing is guaranteed, HBDI’s Michael Ronellenfitsch raised concerns about whether schools can store personal data of children in the cloud.
“Public institutions in Germany have a special responsibility regarding the admissibility and traceability of the processing of personal data,” Ronellenfitsch said.
European concerns about data transmitted to the US are not new. In a bid to control its digital sovereignty, France launched its own secure government-only chat app called Tchap earlier this April to prevent officials from using WhatsApp. Even India is said to be exploring something along similar lines.
Although the ruling particularly targets Microsoft Office 365, Ronellenfitsch said it applied to Google and Apple as well, stating their cloud solutions do not meet German privacy regulations either.
This effectively leaves schools with few other options, unless Microsoft gets back to them with a satisfactory solution.
In the meantime, the Hesse commissioner has suggested schools to switch to similar applications with on-premise licenses on local systems.
Update on July 16, 10:00 AM IST: A Microsoft spokesperson provided us with the following statement:
We routinely work to address customer concerns by clarifying our policies and data protection practices, and we look forward to working with the Hessian Commissioner to better understand their concerns. When Office 365 is connected to a work or school account, administrators have a range of options to limit features that are enabled by sending data to Microsoft. We recently announced (here and here), based on customer feedback, new steps towards even greater transparency and control for these organizations when it comes to sharing this data. In our service terms we document the steps we take to protect customer data, and we’ve even successfully sued the U.S. government over access to customer data in Europe. In short, we’re thankful the Commissioner raised these concerns and we look forward to engaging further with the Commissioner on its questions and concerns related to Microsoft’s offerings.