Schools in the central German state of Hesse have been have been told it’s now illegal to use Microsoft Office 365.
The state’s data-protection commissioner has ruled that using the popular cloud platform’s standard configuration exposes personal information about students and teachers “to possible access by US officials”.
That might sound like just another instance of European concerns about data privacy or worries about the current US administration’s foreign policy.
But in fact the ruling by the Hesse Office for Data Protection and Information Freedom is the result of several years of domestic debate about whether German schools and other state institutions should be using Microsoft software at all.
Besides the details that German users provide when they’re working with the platform, Microsoft Office 365 also transmits telemetry data back to the US.
Last year, investigators in the Netherlands discovered that that data could include anything from standard software diagnostics to user content from inside applications, such as sentences from documents and email subject lines. All of which contravenes the EU’s General Data Protection Regulation, or GDPR, the Dutch said.
Germany’s own Federal Office for Information Security also recently expressed concerns about telemetry data that the Windows operating system sends.
To allay privacy fears in Germany, Microsoft invested millions in a German cloud service, and in 2017 Hesse authorities said local schools could use Office 365. If German data remained in the country, that was fine, Hesse’s data privacy commissioner, Michael Ronellenfitsch, said.
But in August 2018 Microsoft decided to shut down the German service. So once again, data from local Office 365 users would be data transmitted over the Atlantic. Several US laws, including 2018’s CLOUD Act and 2015’s USA Freedom Act, give the US government more rights to ask for data from tech companies.
It’s actually simple, Austrian digital-rights advocate Max Schrems, who took a case on data transfers between the EU and US to the highest European court this week, tells ZDNet.
School pupils are usually not able to give consent, he points out. “And if data is sent to Microsoft in the US, it is subject to US mass-surveillance laws. This is illegal under EU law.”