Office 365 declared illegal in German schools due to privacy risks
Last week, the German state of Hesse declared that its schools may not legally use the Office 365 cloud product. Hesse is one of the sixteen federal states of Germany, with a population of roughly six million (of roughly 83 million Germans). Although the press release specifically targets Office 365, it notes that competing Apple and Google cloud suites also do not satisfy German privacy regulations for use in schools.
What is true for Microsoft is also true for the Google and Apple cloud solutions. The cloud solutions of these providers have so far not been transparent and comprehensibly set out. Therefore, it is also true that for schools the privacy-compliant use is currently not possible.Hessian commissioner of Data Protection and Freedom of Information
This isn’t the first time part of Germany has publicly broken up with Microsoft Office; some German cities including Munich and Freiburg famously ditched Microsoft Office applications in favor of OpenOffice in the early 2000s. Those open source adoption programs have had a notoriously rough ride, plagued with interoperability issues—just because one town changes its office applications doesn’t mean its neighboring towns, parent state, or even its own citizens have. The municipalities have also been targeted heavily with lobbying from Microsoft itself, up to and including Steve Ballmer (then Microsoft’s CEO) interrupting a ski vacation to fly to Munich to try to cut a pro-Microsoft deal in person.
However, the early-2000s attempts to break free of Microsoft were a function of choice. This time around, the Hessian commissioner for Data Protection and Freedom of Information (HBDI) isn’t just saying that schools would prefer not to use Microsoft, he’s stating that their use of Office 365 is outright illegal. In August 2017, the HBDI ruled that Office 365 could legally be used by schools so long as the back end for the school accounts was stored in Microsoft’s German-located cloud. A year later, Microsoft closed its German cloud datacenter, and schools migrated their accounts to the European cloud. Now, the HBDI states that the European cloud may offer access to US authorities; with no way for the German government to monitor such access; this makes use of that cloud illegal without specific consent being granted by its individual users.
In addition to the physical geography of the cloud, the HBDI is unhappy about telemetry in both Office 365 and Windows 10 itself. Neither can be disabled by end users or organizations, and the content of both remains undisclosed by Microsoft despite repeated inquiries. According to the HBDI, the only legal way around the murky provenance of the telemetry—and possible US state access to users’ data—is by asking consent of the individual users. This means that the schools themselves cannot consent on behalf of students, and neither can their parents, according to the HBDI. (Article 8 of the European Union GDPR makes provision for obtaining parental consent for information services to children less than 16 years of age, but its paragraph three specifically states that this doesn’t invalidate contract law of its member states.)
It appears that the HBDI would rather not ditch Office outright, preferring to pressure Microsoft into compliance with German law. The office lays out the conditions under which schools could continue to use Office 365: it requires that all possible access of third parties to user data be curtailed—presumably, by reopening a German datacenter—and also requires that the contents of Windows 10 and Office 365 telemetry be revealed in full. Until then, HBDI says, “schools can use other tools such as on-premise licenses on local systems.”
After publication, a Microsoft spokesperson reached out with the company’s response on this story:
We routinely work to address customer concerns by clarifying our policies and data protection practices, and we look forward to working with the Hessian Commissioner to better understand their concerns. When Office 365 is connected to a work or school account, administrators have a range of options to limit features that are enabled by sending data to Microsoft. We recently announced (here and here), based on customer feedback, new steps towards even greater transparency and control for these organizations when it comes to sharing this data. In our service terms we document the steps we take to protect customer data, and we’ve even successfully sued the U.S. government over access to customer data in Europe. In short, we’re thankful the Commissioner raised these concerns and we look forward to engaging further with the Commissioner on its questions and concerns related to Microsoft’s offerings.Microsoft spokesperson