German schools have barred the use of cloud-based Microsoft Office 365 software following fears over data privacy.
Schools in the state of Hesse have been told they can longer use it after the authorities ruled it was gathering information from users who were unable to give their consent.
Under GDPR, the use of telemetry software to gather data on its users, is not an issue provided the users have given permission for it to do so.
German law states however that when it comes to use in schools, minors cannot provide such consent.
The Hesse Commissioner for Data Protection and Freedom of Information (HBDI) said: “For years, regulators have been in discussion with Microsoft. The crucial aspect is whether the school as a public institution can store personal data (of children) in a (European) cloud, for example, potential access by US authorities.
“Public institutions in Germany have a special responsibility regarding the admissibility and traceability of the processing of personal data.
“Also, the digital sovereignty of state data processing must be guaranteed.”
A German-based data centre was opened by Microsoft to tackle the issue, but it was closed last summer.
The software was updated with new privacy controls and security features but the measures did not go far enough.
The HBDI described Windows as sending a ‘wealth of telemetry data’ to Microsoft without clear and concise consent.
The main issue was that the telemetry information sent by Windows 10 operating system to the company’s cloud solution back to the US.
This information can include anything from user content from Office applications, such as email subject lines and sentences from documents where the company’s translation or spellchecker tools were used to regular software diagnostic data.
There is no way to disable the option at present and according to the HBDI, the only legal way to get around the problem is by asking consent of individual users.
As school children cannot provide consent by themselves, this becomes a violation under GDPR.
The physical location of the cloud itself is also an issue.
School accounts were sent to a European data centre, where they could be accessed by US officials upon request.
Cloud applications are not problematic if pupils give their consent and the security of the data processing is guaranteed.
HBDI ruled that using the popular cloud platform’s standard configuration exposes personal information about students and teachers “to potential access by US authorities.”
Organisations across the EU are required under the terms of the General Data Protection Regulations (GDPR) to be more transparent and responsible with how they gather, store and share personal data.
In declaring that Windows 10 and Office 365 is not compliant with GDPR for use in schools, HBDI had to decide whether schools could use Microsoft’s Office 365 software in compliance with data protection regulations.
HBDI’s Michael Ronellenfitsch said there were issues about whether schools can store personal data of children in the cloud.
He said: “Public institutions in Germany have a special responsibility regarding the admissibility and traceability of the processing of personal data.”
Google and Apple
He said they had also applied to Google and Apple as well, stating their cloud solutions do not meet German privacy regulations either.
The Hesse commissioner has suggested that for the time being schools to switch to similar application to on-premise licenses on local systems.
A Microsoft spokesperson told TNW: “We routinely work to address customer concerns by clarifying our policies and data protection practices, and we look forward to working with the Hessian Commissioner to better understand their concerns.
“When Office 365 is connected to a work or school account, administrators have a range of options to limit features that are enabled by sending data to Microsoft. We recently announced, based on customer feedback, new steps towards even greater transparency and control for these organizations when it comes to sharing this data. In our service terms we document the steps we take to protect customer data, and we’ve even successfully sued the U.S. government over access to customer data in Europe. In short, we’re thankful the Commissioner raised these concerns and we look forward to engaging further with the Commissioner on its questions and concerns related to Microsoft’s offerings.”