Microsoft has found Office 365 banned from use in at least some German schools due to privacy concerns over the way its cloud service works.
Microsoft’s cloud services has run into a fresh roadblock in Germany, after the state of Hesse ruled it is illegal for its schools to use Office 365 citing “privacy concerns.”
The Hesse Commissioner for Data Protection and Freedom of Information (HBDI) ruled that using the popular cloud platform’s standard configuration exposes personal information about students and teachers “to potential access by US authorities.”
The issue is not specifically the storage of school documents on cloud services – that in itself is ok provided that proper steps are taken to comply with GDPR requirements, as HDMI says.
The use of cloud applications by schools is generally not a data protection problem. Many schools in Hesse are already using cloud solutions. Whether, for example, the learning platform or the electronic class book: Schools can use digital applications in compliance with data protection, as far as the security of the data processing and the participation of the pupils is guaranteed.
The problem, says the regulator, is that telemetry data is sent out of Germany to the US, and this can include personal data.
This information can include anything from regular software diagnostic data to user content from Office applications, such as email subject lines and sentences from documents where the company’s translation or spellchecker tools were used.
Collection of such information is a violation of GDPR laws that came into effect last May.
In principle, consent could allow this data to be sent, but children are not able to give their consent in law, so Office 365 cannot be used. In even worse news for Microsoft, the watchdog organization says that the same is true for Windows 10.
The situation poses a problem for schools because they are not currently allowed to switch to either Google Docs or Apple’s iWork suite either.
What is true for Microsoft is also true for the Google and Apple cloud solutions. The cloud solutions of these providers have so far not been transparent and comprehensibly described. Therefore, it is also true that for schools the privacy-compliant use [of these alternatives] is currently not possible.
With Office 365 banned, schools have been asked to use local versions only of Microsoft Office, rather than the cloud-based platform.
Although the ruling has so far been made by only one state in Germany, it seems likely that the same issue would apply across the country.
Uodate: Microsoft told us:
We routinely work to address customer concerns by clarifying our policies and data protection practices, and we look forward to working with the Hessian Commissioner to better understand their concerns. When Office 365 is connected to a work or school account, administrators have a range of options to limit features that are enabled by sending data to Microsoft. We recently announced (here and here), based on customer feedback, new steps towards even greater transparency and control for these organizations when it comes to sharing this data. In our service terms we document the steps we take to protect customer data, and we’ve even successfully sued the U.S. government over access to customer data in Europe. In short, we’re thankful the Commissioner raised these concerns and we look forward to engaging further with the Commissioner on its questions and concerns related to Microsoft’s offerings.
Update August 2:
The Commissioner issued this updated statement which says that Office 365 is now provisionally allowed provided certain conditions are met. This applies to version 1904 Office 365 ProPlus, Office 365 Online and Office 365 Apps which are either already in use or for which budget has already been allocated.