German federal data protection authorities have banned the use of Microsoft Office 365 in schools because of privacy concerns related to the use of U.S. cloud providers.
The German Data Protection Conference (DSK) – which consists of the German Federal Data Protection Authority and 16 state regulators – said that given the lack of transparency around how Microsoft collects and processes personal data, as well as the potential for third-party access to that data, the use of Office 365 is not legally compliant with the General Data Protection Regulation (GDPR).
« Microsoft does not fully disclose the processing operations that take place in detail. Furthermore, Microsoft does not fully disclose which processing operations are performed on behalf of the customer or which are performed for its own purposes, » says a report by the DSK working group that looked into the matter.
« The contractual documents are not precise in this regard and do not allow for a conclusive assessment of the processing, which may even be extended, including for the company’s own purposes. »
This essentially means that, due to the lack of transparency, it is impossible for regulators to assess from the outside exactly what information Microsoft is collecting, and how the company is using that data, making its use illegal under the GDPR.
The report adds that the working group’s discussions with Microsoft confirmed that it was not possible to use Microsoft 365 without transferring personal data to the United States.
In July 2020, the Court of Justice of the European Union (CJEU) invalidated the EU-US Privacy Shield data-sharing agreement, which the court said did not guarantee European citizens an adequate right of redress when data is collected by the U.S. National Security Agency (NSA) and other U.S. intelligence agencies.
Although Microsoft agreed with the working group to make a number of changes to its systems, including adopting some of the European Commission’s guidelines and providing more detail on how it handles data, these changes were deemed insufficient by the DSK.
Microsoft maintains, however, that it is still possible for German schools to use Office 365 in a legally compliant manner and that its products « not only meet, but often exceed, strict European data protection laws. »
According to the company, the DSK’s concerns do not sufficiently address the changes the company has already made to its systems and stem from several misunderstandings about how its services work.
Commenting on DSK’s findings, Matthias Pfau, founder of encrypted messaging service Tutanota, said it was « unbelievable » that U.S.-based cloud services are still trampling on European data rights more than four years after the introduction of the GDPR in May 2018.
« Obviously, the big US companies are putting up with all the complaints and also the penalties because the business model – ‘use my service and I’ll use your data’ – is extremely lucrative for them. Instead of relying on voluntary cooperation, much harsher consequences need to be drawn here; for example, by using completely different systems. »