The German state of Hesse informed schools that it is now illegal to use Office 365 due to “privacy concerns.”
The Hesse Commissioner for Data Protection and Freedom of Information (HBDI) said that the popular cloud platform does not meet the current EU General Data Protection Regulation (GDPR) guidelines as US authorities can access students’ and teachers’ personal data.
The main cause of concern is the telemetry data that Windows 10 and Office 365 send back to the US. Such info can include software diagnostic data, email subjects, and sentences that were translated or spellchecked by Microsoft’s tools. And under GDPR laws, the collection of such data is illegal.
The only loophole to get around the matter is by asking for user consent. But since children cannot give their consent by themselves, the use of Office 365 remains illegal.
Where Does Microsoft Store Such Data?
The HBDI also voiced its concern over the storage of such data. Microsoft previously stored personal information in a German data center. However, it shut down the location in August 2018. This means that Office 365 no longer operates under strict German jurisdiction.
Instead, all school accounts were transferred to a European data center where US officials can access them whenever they please.
HBDI officer Michael Ronellenfitsch emphasized that cloud applications aren’t the problem, as long as “the security of the data processing and the participation of the pupils are guaranteed.“
Public institutions in Germany have a special responsibility regarding the admissibility and traceability of the processing of personal data.Michael Ronellenfitsch
What Are the Alternatives?
Ronellenfitsch added that the ban also applies to Google’s and Apple’s cloud platforms (Google Docs and iWork respectively).
What is true for Microsoft is also true for the Google and Apple cloud solutions. The cloud solutions of these providers have so far not been transparent and comprehensibly described. Therefore, it is also true that for schools the privacy-compliant use [of these alternatives] is currently not possible.Michael Ronellenfitsch
Therefore, the Hesse commissioner urged schools to use local, “on-premise” software versions similar to Office 365 as a temporary alternative.
The Netherlands reported a similar incident back in November 2018. Dutch investigators found a “large scale and covert collection of personal data” through Office’s built-in telemetry collection capabilities.
The report also found that Microsoft’s telemetry collection system stored Dutch user data and sent it to US servers, where American authorities can seize it upon request.
France also expressed concerns over data transmissions to the US. Back in April, the French government launched a secure chat app called Tchap to prevent officials from using WhatsApp.
What Is Microsoft’s Response?
A Microsoft spokesperson spoke to TNW on July 16 and issued the following statement:
We routinely work to address customer concerns by clarifying our policies and data protection practices, and we look forward to working with the Hessian Commissioner to better understand their concerns. When Office 365 is connected to a work or school account, administrators have a range of options to limit features that are enabled by sending data to Microsoft.Microsoft
The US company added that it introduced new steps to give users more transparency and control over data and privacy. It also stated that the service terms perfectly describe how Microsoft protects customer data, highlighting the successful lawsuit against the US government “over access to customer data in Europe.“
Microsoft concluded by thanking the Commissioner for raising these concerns, adding that it looks forward to working with him on any questions concerning the company’s offerings.
The Microsoft Office 365 Ban – Final Thoughts
Microsoft’s absence of privacy control, as well as the telemetry data that is sent back to the US have forced the state of Hesse to ban Office 365. And it could spark other states, or even countries, to follow suit. The fact that US officials have the liberty to view personal information whenever they want raises a major flag for several European countries. So unless Microsoft can fix that problem, we might be seeing a lot of similar bans in the near future.