By Jan Penfrat

In a bombshell decision, the Data Protection Authority (DPA) of the German Land of Hesse has ruled that schools are banned from using Microsoft’s cloud office product “Office 365”. According to the decision, the platform’s standard settings expose personal information about school pupils and teachers “to possible access by US officials” and are thus incompatible with European and local data protection laws.

The ruling is the result of several years of domestic debate about whether German schools and other state institutions should be using Microsoft software at all, reports ZDNet. In 2018, investigators in the Netherlands discovered that the data collected by Microsoft “could include anything from standard software diagnostics to user content from inside applications, such as sentences from documents and email subject lines.” All of which contravenes the General Data Protection Regulation (GDPR) and potentially local laws for the protection of personal data of underaged pupils.

While Microsoft’s “Office 365” is not a new product, the company has recently changed its offer in Germany: Until now, it provided customers with a special German cloud version hosted on servers run by German telecoms giant Deutsche Telekom. Deutsche Telekom served as a kind of infrastructure trustee, putting customer data outside the legal reach of US law enforcement and intelligence agencies. In 2018, however, Microsoft announced that in 2019 this special arrangement will be terminated and German customers are offered to move to Microsoft’s standard cloud offer in the EU.

Microsoft insists that nothing changes for customers because the new “Office 365” servers are also located in the EU or even in Germany. However, legal developments in the US have put the Hesse DPA on high alert: The newly enacted “US Cloud Act” empowers US government agencies to request access to customer data from all US-based companies no matter where their servers are located.

To make things even worse, Germany’s Federal Office for Information Security (BSI) recently expressed concerns about telemetry data that the Windows 10 operating system collects and transmits to Microsoft. So even if German (or European) schools stopped using the company’s cloud office, its ubiquitous Windows operating system also leaks data to the US with no control or stopping it for users.

School pupils are usually not able to give consent, Max Schrems from EDRi member noyb told ZDNet. “And if data is sent to Microsoft in the US, it is subject to US mass surveillance laws. This is illegal under EU law.” Even if that was legal, says the Hesse DPA, schools and other public institutions in Germany have a “particular responsibility for what they do with personal data, and how transparent they are about that.”

It seems that fulfilling those responsibilities hasn’t been possible when using Microsoft Office 365. In a next step, it is crucial that European DPAs discuss those findings within the European Data Protection Board to come to an EU-wide rule that protects children’s personal data from unregulated access by US agencies. Otherwise European schools would be well-advised to switch to privacy-friendly alternatives such as Linux, LibreOffice, and Nextcloud.

Statement of the Commissioner for Data Protection and Freedom of Information of the Land of Hesse regarding the use of Microsoft Office 365 in schools in Hesse (only in German, 09.07.2019)
https://datenschutz.hessen.de/pressemitteilungen/stellungnahme-des-hessischen-beauftragten-f%C3%BCr-datenschutz-und

Microsoft Office 365: Banned in German schools over privacy fears (12.07.2019)
https://www.zdnet.com/article/microsoft-office-365-banned-in-german-schools-over-privacy-fears

Microsoft offers cloud services in new German data centers as of 2019 in reaction to changes in demand (only in German, 31.08.2018)
https://news.microsoft.com/de-de/microsoft-cloud-2019-rechenzentren-deutschland/

(Contribution by Jan Penfrat, EDRi)