Cloud-based productivity apps aren’t exactly the kinds of apps you’d normally think were deserving of being banned from a school. But a few schools in Germany have done just that, and Microsoft’s Office 365 is the target.
According to TNW, German state Hesse has found that Office 365’s current configuration isn’t compliant enough with the European Union’s new General Data Protection Regulation (GDPR) guidelines to be utilized in German schools.
On July 9, a statement on the legality of using Office 365 in German schools, was published online by the Hessian commissioner for data protection and freedom of information. According to a translated version of that statement, the first concern with using Office 365 in German public schools is that using the cloud service also involves schools having to store the personal data of children in a European cloud, which could, in turn, be accessible “by U.S. authorities.”
As TNW notes, this particular issue came about because initially, such schools used to store this personal data in a German data center until Microsoft shut that center down in 2018. As a result, the storage of that data was moved to a European data center that may allow U.S. authorities access to that information.
And the other concern is that like Windows 10, Office 365 transmits “a wealth of telemetry data” to Microsoft and, as the Commissioner notes, Microsoft hasn’t clarified the exact nature of the content of that data “despite repeated inquiries.” TNW also noted that this telemetry data can contain personal information such as “user content from Office applications” or even email subject lines in addition to software diagnostic data. And collecting this kind of personal data is illegal according to the EU’s GDPR guidelines. The only possible loophole is asking for individual consent for the collection of this data, but since kids can’t provide that consent, collecting this data from their usage of Office 365 is still illegal.
It is essentially because of these issues, that the commissioner has ruled that Office 365 and Windows 10 cannot be used in schools since they aren’t GDPR compliant.
In addition, the Commissioner also said that the use of Google and Apple cloud services aren’t acceptable alternatives to using Office 365 in German public schools because those services suffer from the same issues and are just as noncompliant, citing a lack of transparency. Instead, the commissioner has advised that schools use local, “on-premises” software versions of Microsoft Office apps until cloud services like Office 365 become GDPR compliant.
On July 16, Microsoft did issue its own statement to TNW regarding the Office 365 privacy concerns. In the statement, Microsoft emphasized its own efforts to be more transparent about its data collection, its efforts to allow customers to have more control over their data, and expressed an interest in working with the commissioner directly to address its concerns:
“We routinely work to address customer concerns by clarifying our policies and data protection practices, and we look forward to working with the Hessian Commissioner to better understand their concerns. When Office 365 is connected to a work or school account, administrators have a range of options to limit features that are enabled by sending data to Microsoft. We recently announced (here and here), based on customer feedback, new steps towards even greater transparency and control for these organizations when it comes to sharing this data. In our service terms we document the steps we take to protect customer data, and we’ve even successfully sued the U.S. government over access to customer data in Europe. In short, we’re thankful the commissioner raised these concerns and we look forward to engaging further with the Commissioner on its questions and concerns related to Microsoft’s offerings.”
