Microsoft Office 365 banned in German schools citing privacy concerns

Microsoft’s cloud services has run into a fresh roadblock in Germany, after the state of Hesse ruled it is illegal for its schools to use Office 365 citing “privacy concerns.”The Hesse Commissioner for Data Protection and Freedom of Information (HBDI) ruled that using the popular cloud platform’s standard configuration exposes personal information about students and teachers “to potential access by US authorities.”Hard Fork?In declaring that Windows 10 and Office 365 is not compliant with EU General Data Protection Regulation (GDPR) for use in schools, this development ends years of debate over whether “schools can use Microsoft’s Office 365 software in compliance with data protection regulations.”The heart of the issue concerns the telemetry information sent by Windows 10 operating system and the company’s cloud solution back to the US.This information can include anything from regular software diagnostic data to user content from Office applications, such as email subject lines and sentences from documents where the company’s translation or spellchecker tools were used.Collection of such information is a violation of GDPR laws that came into effect last May.While Microsoft previously provided a version of these applications that stored such information in a German data center, the ruling noted that Microsoft shut down the location as of August 2018 — meaning, the telemetry data was once again being transmitted to US data centers, potentially giving US officials the rights to access it.Pointing out that the use of cloud applications in itself is not the problem as long as pupils’ consent and the security of the data processing is guaranteed, HBDI’s Michael Ronellenfitsch raised concerns about whether schools can store personal data of children in the cloud.But since school children cannot provide consent by themselves, the data processing is illegal under GDPR law.“Public institutions in Germany have a special responsibility regarding the admissibility and traceability of the processing of personal data,” Ronellenfitsch said.European concerns about data transmitted to the US are not new. In a bid to control its digital sovereignty, France launched its own secure government-only chat app called Tchap earlier this April to prevent officials from using WhatsApp. Even India is said to be exploring something along similar lines.Ronellenfitsch said the ruling applied to Google and Apple, stating their cloud solutions haven’t been fully transparent either.This effectively leaves schools with few other options, unless Microsoft gets back to them with a satisfactory solution.In the meantime, the Hesse commissioner has suggested schools to switch to similar applications with on-premise licenses on local systems.