Foreign authorities are banning Google and Microsoft services from schools, the Czech Republic is floundering
Jan Cibulka, a journalist for iROZHLAS and member of the Big Brother Awards CZ Jury, organised by EDRi member Iuridicum Remedium, has investigated how Czech authorities and schools are approaching the protection of privacy when using distance learning tools. Such tools send sensitive information overseas, where US law gives intelligence agencies access to it. The tools do not guarantee that children's private chats will not be accessed by, for example, teachers. While the first regional governments in Europe are developing safer alternatives, in the Czech Republic the risk assessment remains up to individual schools. In practice, they have little choice.
The pandemic has forced many schools to use services from Google and Microsoft, for group calls or document sharing. But concerns about the privacy of children and teachers have prompted some European authorities to ban services from these companies. One research was compiled by the Data Protection Commissioner of Baden-Württemberg, in which he points out that all activity is monitored and recorded. As part of the data goes to the US, the data of Europeans can be collected and processed by US intelligence services, which has been confirmed by the European Court of Human Rights. iROZHLAS sought the reaction of both companies: the local representatives explain that their services comply with the General Data Protection Regulation (GDPR), and the data is partly stored in data centres in Europe.
Microsoft reserves the right to process information about how people use its programs for its commercial and business interests, which practices the Commissioner defines as “complete and detailed monitoring and recording of all user behaviour and email analysis.” The Commissioner has thus banned the use of MS 365 tools in schools in Baden-Württemberg. Following this, other states have started to react as well – Denmark criticised Google Workspace for similar reasons and Dutch schools have had to restrict the use of some Google services and products. Jan Cibulka, therefore, investigated whether the Czech Ministry of Education has considered privacy concerns. Unfortunately, the ministry does not centrally address the problem but places the responsibility on school principals, who must comply with the GDPR.
However, the absence of alternative open source solutions with similar functions and stability to those from Google and Microsoft leaves the schools in a challenging position. The research recommends using tools such as Moodle or Jitsi, which do not send data abroad until a better alternative is available. Many Czech schools like Charles University in Prague will continue to use the already subscribed commercial services and are satisfied with the terms of the contract. Microsoft states in the MS 365 terms and conditions that the institution that provided the user with an account on the platform has access to the user’s data, including the content of communications and files. But at the same time, consent to the processing of personal data should be given by students or their parents and done so voluntarily. However, the purchase and use of the software are normally arranged by the school and students have no say.
In the case of the Czech Republic, the school data protection officers, who have autonomy over the use of such platforms, should be the first point of contact for the student or parent as they can restrict which data is collected and sent abroad. Students can also partially restrict the collection of information. In the case of Google, the storage of search terms or videos watched can be turned off and in the case of Microsoft, the Teams platform can be accessed from a browser using an ad-blocking tool. It is also advisable to use encrypted applications such as Signal or Whatsapp.
The article was first published in Czech here. Translation into English by Karolína Hájková.