The German state of Hesse has banned the use of Microsoft Office 365 in schools over fears of surveillance, data mining and the problems of consent.
According to reports, Office 365, the cloud version of the American company’s productivity suite, engages in a certain level of telemetry to gathers data which, under GDPR, wouldn’t be a problem, as long as the users give Microsoft explicit consent to do so.
That’s where the issue lies, however, as by German law, minors can’t provide such consent for Office 365.
Microsoft tried to tackle the issue by opening a German-based data centre, but it closed it down last summer.
"For years, regulators have been in discussion with Microsoft. The crucial aspect is whether the school as a public institution can store personal data (of children) in a (European) cloud, for example, potential access by US authorities," the Hesse Commissioner for Data Protection and Freedom of Information (HBDI) said.
"Public institutions in Germany have a special responsibility regarding the admissibility and traceability of the processing of personal data. Also the digital sovereignty of state data processing must be guaranteed."
The HBDI also mentioned that Windows as a system also operates a ‘wealth of telemetry data’ that is being sent to Microsoft all the time, without clear and concise consent.
Under the General Data Protection Regulation (GDPR), which came into force in May 2018, organisations are required to be more transparent and responsible with how they gather, store and share personal data from users in the European Union.
Following the release of this story, Microsoft reached out with the following statement:
"We routinely work to address customer concerns by clarifying our policies and data protection practices, and we look forward to working with the Hessian Commissioner to better understand their concerns. When Office 365 is connected to a work or school account, administrators have a range of options to limit features that are enabled by sending data to Microsoft. We recently announced (here and here), based on customer feedback, new steps towards even greater transparency and control for these organizations when it comes to sharing this data. In our service terms we document the steps we take to protect customer data, and we’ve even successfully sued the U.S. government over access to customer data in Europe. In short, we’re thankful the Commissioner raised these concerns and we look forward to engaging further with the Commissioner on its questions and concerns related to Microsoft’s offerings.”