Microsoft 365 banned in German schools over privacy concerns
Federal German information safety authorities have banned using Microsoft Office 365 in schools as a consequence of privacy concerns round using US cloud suppliers.
The German Data Protection Conference (DSK) – which consists of the German Federal Data Protection Authority and 16 state regulators – stated that, given the dearth of transparency round how Microsoft collects and processes private information, in addition to the potential for third-party entry to it, using O365 is just not legally compliant with the General Data Protection Regulation (GDPR).
“Microsoft does not fully disclose which processing operations take place in detail. In addition, Microsoft does not fully disclose which processing operations are carried out on behalf of the customer or which are carried out for its own purposes,” stated a report by the DSK working group trying on the situation.
“The contractual documents are not precise in this regard and do not allow for conclusive evaluation of processing, which may even be extensive, including for the company’s own purposes,” the report continued.
“The use of personal data of the users (eg. employees or students) for the provider’s own purposes precludes the use of a processor in the public sector (especially at schools).”
This basically implies that, as a result of lack of transparency, it’s unattainable for regulators to evaluate from the skin precisely what info Microsoft is amassing, and the way it’s utilizing this information, making it illegal to make use of beneath GDPR.
The report added the working group’s discussions with Microsoft confirmed that non-public information would all the time be transferred to the US when O365 is used, claiming it was “not possible to use Microsoft 365 without transferring personal data to the USA”.
In July 2020, the European Court of Justice (ECJ) struck down the EU-US Privacy Shield data-sharing settlement, which the court docket stated failed to make sure European residents have satisfactory proper of redress when information is collected by the US National Security Agency (NSA) and different US intelligence providers.
The ruling, colloquially often called Schrems II after the Austrian lawyer who took the case to the ECJ, additionally forged doubt on the legality of utilizing customary contractual clauses (SCCs) as the idea for worldwide information transfers, discovering that though these had been legally legitimate, firms nonetheless had a accountability to make sure that these they shared the information with granted privacy protections equal to these contained in European Union (EU) legislation.
Long-standing points
The DSK working group has been actively looking at how to improve O365 to make sure compliance with European information safety requirements for 2 years, after Microsoft discontinued its German cloud providing in August 2018 and state regulators began flagging points with the service.
In July 2019, for instance, the Hessian Commissioner of Data Protection and Freedom of Information highlighted problems with O365, particularly that using an American cloud supplier would permit US authorities to entry information saved in a European cloud, and that numerous telemetry information was being gathered and transferred with out enough logging of the exercise.
The Hessian Commissioner consequently banned using O365 in schools all through the German state of Hesse, and famous on the time that “what is true for Microsoft is also true for the Google and Apple cloud solutions”.
“The cloud solutions of these providers have so far not been transparent and comprehensibly set out. Therefore, it is also true that for schools, privacy-compliant use is currently not possible,” added the commissioner.
While Microsoft agreed with the working group to make a variety of adjustments to its techniques, together with adopting a few of the European Commission’s SCCs and laying out in higher element the way it processes information, the adjustments had been deemed inadequate by the DSK. These adjustments had been detailed in an up to date model of Microsoft’s Products and services data protection addendum.
Referencing the working group report in a separate statement, the DSK stated: “The proof of knowledge controllers to function Microsoft 365 in compliance with information safety legislation can’t be offered on the idea of the information safety addendum of 15 September 2022 offered by Microsoft.
“In particular, as long as the necessary transparency about the processing of personal data from commissioned processing for Microsoft’s own purposes is not established and its lawfulness is not proven, this proof cannot be provided.”
Microsoft responds
Microsoft, nevertheless, contends that it’s nonetheless attainable for German schools to make use of O365 in a legally compliant method and that its merchandise “not only meet, but often exceed, the strict EU data protection laws”.
It stated the DSK’s concerns don’t adequately take into consideration adjustments the corporate has already made to its techniques, and stem from “several misunderstandings” about how its providers work.
“We have worked closely with the DSK throughout the review process and have responded to the concerns raised with several sweeping changes,” stated Microsoft. “Examples of this are an improved notification process for adjustments of sub-processors and additional clarifications relating to the processing of private information by Microsoft for Microsoft enterprise actions prompted by the availability of the providers to prospects. Microsoft has totally cooperated with the DSK, and whereas we disagree with the DSK’s evaluation, we wish to deal with any remaining concerns.
“We take DSK’s demand for more transparency to heart. While our transparency standards already exceed those of most other providers in our sector, we are committed to becoming even better. In particular, as part of our planned EU data border, we will provide further documentation on our customers’ data flows and the purposes of processing in the interests of transparency. We will also provide more transparency about the locations and processing by sub-processors and Microsoft employees outside the EU.”
It added: “In the interests of greater transparency, we would appreciate the full report being released with the detailed responses and comments submitted to Microsoft’s DSK, but with appropriate redacting.”
While Microsoft had dedicated to creating an EU Data Boundary by the top of 2022, information safety specialists have beforehand criticised the transfer as a tacit admission that information is being routinely processed outdoors the bloc, claiming there is no such thing as a possible manner it will stop European residents’ information from being transferred abroad to the US the place there’s a decrease customary of safety.
In its response to the DSK, Microsoft stated the Data Boundary would “significantly reduce the flow of data from the EU to other countries… [enabling] public sector and corporate customers in the EU and across the European Free Trade Association to process and store customer data in the region”.
Following the publication of the working group report, federal information safety commissioner Ulrich Kelber said whereas Microsoft had made “progress in individual points”, information safety authorities would “have to look [at] individual cases to see whether data protection compliance can still be achieved”.
Kelber added that he doubted O365 may “simply be used on a computer without further protective measures”.
Commenting on the DSK’s findings, Matthias Pfau, founding father of the encrypted e mail service Tutanota, stated it was “unbelievable” that US-based cloud providers proceed to trample on European information rights greater than 4 years after the introduction of the GDPR in May 2018.
“Obviously, large American corporations are putting up with any complaints and also penalties because the business model – ‘use my service and I’ll use your data’ – is extremely lucrative for them. Instead of relying on voluntary cooperation, much harsher consequences must be drawn here; for example, by using completely different systems,” he stated.
“Linux with Open Office is a very good alternative to which schools and authorities should switch immediately. As long as schools and authorities continue to use Microsoft – albeit installed locally – Microsoft obviously sees no reason to respect European data protection rules.”
