In a first such case globally, schools in Germany have banned the use of Microsoft Office 365, after a data privacy authority for the state of Hesse ruled that using the popular software exposes personal information of students and teachers “to potential access by US authorities”.
“The use of Microsoft Office 365 in schools is illegal under data protection law, as far as schools store personal data in the European cloud,” said the ruling by Michael Ronellenfitsch, the Hesse Commissioner for Data Protection and Freedom of Information (HBDI).
In declaring that Windows 10 and Office 365 is not compliant with EU General Data Protection Regulation (GDPR) for use in schools, this development ends years of debate over whether “schools can use Microsoft’s Office 365 software in compliance with data protection regulations”.
The Hesse Commissioner has suggested schools to switch to similar applications with on-premise licenses on local systems.
Microsoft said it looks forward to working with the Hesse Commissioner to better understand their concerns.
“When Office 365 is connected to a work or school account, administrators have a range of options to limit features that are enabled by sending data to Microsoft. We recently announced based on customer feedback, new steps towards even greater transparency and control for these organizations when it comes to sharing this data,” a Microsoft spokesperson told Arstechnica in a statement.
For years, there has been a discussion in Germany about whether schools can use Microsoft’s Office 365 software in compliance with data protection regulations.
In August 2018, Microsoft announced to the public that for the Germany cloud contracts are no longer offered and the distribution of this product is discontinued.
Since then, the data protection authority asked a large number of teachers and school administrators, as well as school authorities, to use Office 365 in the European cloud.
“With the use of the Windows 10 operating system, a wealth of telemetry data is transmitted to Microsoft, whose content has not been finally clarified despite repeated inquiries at Microsoft. Such data is also transmitted when using Office 365. Also, the digital sovereignty of state data processing must be guaranteed,” said HBDI.
The authority said what is true for Microsoft is also true for the Google and Apple cloud solutions.
“The cloud solutions of these providers have so far not been transparent and comprehensible set out. Therefore, it is also true that for schools the privacy-compliant use is currently not possible,” said HBDI.