Recently, I stumbled upon a blog post by Tutanota, stating that Microsoft’s Office 365 had once again been declared illegal for use in German schools.
The last time this happened was in 2019, when Office 365 was banned from schools in the German state of Hesse.
If you’re curious: Office 365 package offers a polished set of proprietary tools used by many professionals worldwide, which is why it is popular.
However, it poses quite a few privacy concerns, as noted by German authorities, which have not been addressed yet.
🛑 Hence, the decision was taken by the German Data Protection Conference (DSK or Datenschutzkonferenz) to ban the use of Microsoft Office 365 in schools across the country.
DSK is a group that consists of independent German Federal and State Data Protection supervisory authorities.
Microsoft Office 365 Cannot be used in German Schools
A bold move: The DSK has banned the use of Microsoft Office 365 in schools, citing various privacy violations by Microsoft.
Negotiations had been going on for the past two years to ensure its compliance with European data protection standards.
However, things did not turn out well.
In a statement made by the DSK, they mention:
Controllers must be able to meet their accountability obligations pursuant to Art. 5 (2) GDPR at all times. When using Microsoft 365, difficulties can still be expected in this regard on the basis of the “data protection supplement”, as Microsoft does not fully disclose which processing operations take place in detail.
In addition, Microsoft does not fully disclose which processing operations are carried out on behalf of the customer or which are carried out for its own purposes.
In other words, they feel that Microsoft has not been complying with the GDPR, and there has been a consistent lack of transparency from Microsoft.
What is different from 2019?: Well, after getting banned from the schools of Hesse, Microsoft made a few changes after 2019.
But, they barely scratched the surface by adopting just a few of the EU Commission’s standard contractual clauses and updating their ‘Products and Services Data Protection Addendum‘.
What caused this again?: The DSK was not pleased when they discovered that personal data was being sent to the US when Office 365 was used, making that data accessible to American authorities.
As a result, they advise private users not to use Office 365 since Microsoft cannot be trusted to handle their data.
The folks at Tutanota also noted that many trade schools use Office 365 to prepare their students for office work. Now, they will have to use on-premise licenses (deployed locally) of Microsoft Office to achieve the same.
What’s Next?: In a recent statement, Microsoft has said that they do not agree with the DSK and have taken steps to ensure that their Office 365 products either meet the European data standards or often exceed them.
We take the DSK’s call for more transparency to heart. While our transparency standards already exceed those of most other providers in our sector, we are committed to getting even better.
In particular, we will provide further documentation on our customers’ data streams and the purposes of processing within the framework of our planned EU data limit in the sense of transparency.
We will also create more transparency about the locations and processing by subcontractors and Microsoft employees outside the EU.
So, to sum things up. Microsoft has a long way to go in ensuring compliance with the strict EU data handling guidelines.