German state bans the use of Office 365 tools in its schools due to privacy concerns (Update)
Office 365 stores German student data on foreign serversBy Cohen Coberly 20 comments
Note: A Microsoft spokesperson has reached out to comment on the story. Their statement can be viewed below this piece.
It's no secret that Microsoft's Office suite of productivity tools has been pretty popular over the years. Tools like Powerpoint are a godsend for students and corporations, whereas software such as Excel has proven invaluable to accountants and individuals who do their own taxes.
Office 365 is essentially the same thing as the normal Office suite but with one key difference: Office 365 is cloud and subscription-based, whereas Office is license-based and usually used offline on a personal or work PC or Mac.
Unfortunately for Microsoft, some German regulators -- specifically, those in Hesse -- have decided that Office 365's cloud technology has the potential to violate user privacy and thus can no longer be officially used in the state's schools.
... some German regulators [have decided] that Office 365's cloud technology has the potential to violate user privacy and thus can no longer be officially used in the state's schools.
Hesse data protection commissioner Michael Ronellenfitsch says the primary reason Office 365 in particular (as well as alternatives from Google and Apple) runs afoul of data protection issues is that the suite of tools stores the data of European children in a cloud that is exposed to and accessible by US authorities.
Ronellenfitsch insists that this is not a blanket ban on all cloud tools, noting that most such services do not "generally" pose a data protection problem for Hesse schools.
"Many schools in Hesse are already using cloud solutions," he said in a translated statement (which may be prone to errors -- see the full thing here). "Schools can use digital applications in compliance with data protection, [as long] as the security of the data processing and the participation of the pupils is guaranteed."
As others have noted, this is not an impossible situation for Microsoft to address -- they key concern here is the storage of German student user data (specifically, those in Hesse) on overseas servers. If Microsoft were to store this data on local servers instead, these new restrictions would likely be lifted.
Update: Microsoft's statement is as follows:
We routinely work to address customer concerns by clarifying our policies and data protection practices, and we look forward to working with the Hessian Commissioner to better understand their concerns. When Office 365 is connected to a work or school account, administrators have a range of options to limit features that are enabled by sending data to Microsoft.
We recently announced (here and here), based on customer feedback, new steps towards even greater transparency and control for these organizations when it comes to sharing this data. In our service terms we document the steps we take to protect customer data, and we've even successfully sued the U.S. government over access to customer data in Europe. In short, we're thankful the Commissioner raised these concerns and we look forward to engaging further with the Commissioner on its questions and concerns related to Microsoft's offerings.
Update 2: A Microsoft spokesperson has reached out to inform us that, following a discussion between Hesse's Data Protection Commissioner and company representatives, Office 365 will be "provisionally" allowed in Hessian public schools that have already purchased subscriptions. These subscriptions will be tolerated "until further notice."
The Commissioner also states that schools which have not yet purchased Office 365, but intend to do so, can also "rely on the toleration." He does warn, however, that said schools "bear the financial risk" if further review and ongoing discussions with Microsoft lead to a reversal of this tolerance. In the meantime, schools that choose to use Office 365 must halt the transmission of "any kind of diagnostic data."