Security Market Segment LS
Sunday, 14 July 2019 22:23

Microsoft Office 365 and Windows 10 barred from use in German schools


The Hessian Commissioner for Data Protection and Freedom of Information has said that the use of Office 365 and Windows 10 was illegal under local data protection laws.

Hesse is one of German's states and the State's Privacy Commissioner has warned that data stored in the cloud by Office 365 could be accessed in the US. In effect, personal information related to teachers and students would be in the cloud and available to US agencies.

Michael Ronellenfitsch, Hesse's data protection commissioner, stated that, even if such information was stored in European data centres, it remained "exposed to possible access by US authorities".

Ronellenfitsch said public institutions in Germany "have a special responsibility with regard to the permissibility and traceability of the processing of personal data."

Further, the German Federal Office for Information Security (BSI) noted that Windows 10 sends "a wealth of telemetry data to Microsoft." BSI requested Microsoft to advise them what data they take, but had received no response. Commentary suggested that data could include anything from standard software diagnostics to user content from inside applications, potentially sentences from documents and email subject lines, all of which contravenes the EU's General Data Protection Regulation (GDPR).

For the past couple of years, Microsoft has provided a localised version of Office 365, which for quite some time Ronellenfitsch had supported, stating in 2017 that schools could use Office 365, provided that they adhere to Germany's data protection laws. Recently, permission to use that local resource was rescinded, when all services were migrated back to US data centres.

Ronellenfitsch asserts that mere consent to the rules Microsoft provides is not sufficient, because the data remains compromised as the security and traceability remain dubious.

Ronellenfitsch adds, "As soon as, in particular, the possible third-party access to the data in the cloud and the issue of telemetry data have been resolved in a comprehensible and data protection-compliant manner, Office 365 can be used as a cloud solution by schools." (translation via Google Translate)

The full statement (in German) is available here

Buried in that statement is the observation (in German, translated using Google translate): "The HBDI is aware of the demands that vocational schools, in particular, make for the use of office packages. Therefore, there is also the interest to come together with Microsoft for a privacy-compliant solution. However, this is not up to HBDI or the other German supervisory authorities, but especially to Microsoft itself. As soon as the possible access of third parties to the data in the cloud as well as the topic of the telemetry data are reconciled and compliant with data protection, Office 365 can act as a cloud Solution can be used by schools. Until then, school can use other tools such as on-premise licenses on local systems."

Essentially, this statement is offering schools the option of Windows 7 and whatever stand-alone Office version they can purchase.

Further, the statement notes, "What is true for Microsoft is also true for the Google and Apple cloud solutions. The cloud solutions of these providers have so far not been transparent and comprehensibly set out. Therefore, it is also true that for schools, the privacy-compliant use is currently not possible." (grammar slightly edited for clarity).


26-27 February 2020 | Hilton Brisbane

Connecting the region’s leading data analytics professionals to drive and inspire your future strategy

Leading the data analytics division has never been easy, but now the challenge is on to remain ahead of the competition and reap the massive rewards as a strategic executive.

Do you want to leverage data governance as an enabler?Are you working at driving AI/ML implementation?

Want to stay abreast of data privacy and AI ethics requirements? Are you working hard to push predictive analytics to the limits?

With so much to keep on top of in such a rapidly changing technology space, collaboration is key to success. You don't need to struggle alone, network and share your struggles as well as your tips for success at CDAO Brisbane.

Discover how your peers have tackled the very same issues you face daily. Network with over 140 of your peers and hear from the leading professionals in your industry. Leverage this community of data and analytics enthusiasts to advance your strategy to the next level.

Download the Agenda to find out more


David Heath

David Heath has had a long and varied career in the IT industry having worked as a Pre-sales Network Engineer (remember Novell NetWare?), General Manager of IT&T for the TV Shopping Network, as a Technical manager in the Biometrics industry, and as a Technical Trainer and Instructional Designer in the industrial control sector. In all aspects, security has been a driving focus. Throughout his career, David has sought to inform and educate people and has done that through his writings and in more formal educational environments.



Recent Comments