The German state of Hessen has warned schools not to use Office 365 because the Microsoft suite's cloud storage and telemetry collection are not compliant with the EU's General Data Protection Regulations.
The Hessian Commissioner for Data Protection said last week that its ruling came after years of negotiations with Microsoft, which it claimed had still not clarified certain issues – specifically whether the private data of German schoolchildren stored in the cloud by their school could be accessed by US investigators.
The German state's data watchdog noted a separate issue around telemetry data collected by Windows 10 and by Office 365, and complained Microsoft had not made it clear exactly what data is collected and transmitted. The use of clouds from Apple and Google was said to be equally problematic.
The regulator said (via Google Translate):
The crucial aspect is whether the school as a public institution can store personal data (of children) in a (European) cloud, e.g. potential access by US authorities. Public institutions in Germany have a special responsibility regarding the admissibility and traceability of the processing of personal data. Also the digital sovereignty of state data processing must be guaranteed.
In addition, there is another issue that the Federal Office for Information Security pointed out to the public in autumn 2018. With the use of the Windows 10 operating system, a wealth of telemetry data is transmitted to Microsoft, whose content has not been finally clarified despite repeated inquiries at Microsoft. Such data is also transmitted when using Office 365.
The regulator noted the usefulness of the software, particularly in vocational schools, but said it was down to Microsoft to present a solution. In the meantime, it recommended schools investigate on-premises products.
It said a previous investigation had cleared 365 for use because the cloud storage had relied upon a German-based data centre. Microsoft is due to open two data centres, one in Berlin and one in Frankfurt, at the end of the year.
Microsoft already sells a differentiated Office 365 product for Germany separate from the rest of the Europe due to the country's more stringent regulations, according to this Microsoft platform description.
And we return to Munich's migration back to Windows – it's going to cost what now?! €100m!READ MORE
Germany became a heated battleground for open-source desktop advocates when the city of Munich ditched Microsoft in favour of Linux before feeling the full force of Redmond's affection and reversing the decision.
Hessen has a population of about six million and includes the city of Frankfurt.
Microsoft was not able to answer specific questions but sent us the following statement:
We routinely work to address customer concerns by clarifying our policies and data protection practices, and we look forward to working with the Hessian Commissioner to better understand their concerns.
When Office 365 is connected to a work or school account, administrators have a range of options to limit features that are enabled by sending data to Microsoft. We recently announced (here and here), based on customer feedback, new steps towards even greater transparency and control for these organizations when it comes to sharing this data.
In our service terms we document the steps we take to protect customer data, and we've even successfully sued the US government over access to customer data in Europe. In short, we're thankful the Commissioner raised these concerns and we look forward to engaging further with the Commissioner on its questions and concerns related to Microsoft's offerings.
Better news for Microsoft comes from Australia today, where the federal government signed up to a three-year deal to put 98 federal agencies on Office 365, leaving less than 2 per cent of government desktops with old-school licences.
The software giant hopes the deal will also boost Azure and Dynamics 365 adoption – it's dangling 1,400 subsidised Azure training places as part of the deal.
The licensing agreement will be managed by Data#3 with resellers including DQA, oobe and Veritec. Microsoft hopes the deal will create more cloud-based work for other resellers and developers too. ®