Microsoft 365 faces more GDPR headwinds as Germany bans it in schools
Redmond disputes report that 'it is not possible to use without transferring personal data to the USA'
Germany's federal and state data protection authorities (DSK) have raised concerns about the compatibility of Microsoft 365 with data protection laws in Germany and the wider European Union.
According to the German watchdog's report [PDF], which was written after two years of negotiations with Microsoft, the body says that the product "remains in breach" of the General Data Protection Regulation (GDPR).
The 2020 working group was put together to bring the cloud service into line with the Schrems II decision of the European Court of Justice – and relates to ongoing European concerns about cloud data sovereignty, competition, and privacy rules.
Under the GDPR, children below the age of 13 are incapable of consenting to their data being collected, while consent may be given by those with parental responsibility for those under 16 but not younger than 13. When platforms do store data on adults, those customers are meant to be able to request the deletion of their records.
The report adds (translated from the German): "Many of the services included in Microsoft 365 require Microsoft to access the unencrypted, non-pseudonymized data."
US executive order a long way from settling EU privacy casesREAD MORE
The DSK report means the office suite is therefore not suitable for legally compliant use in schools or public authorities in Germany, although it won't affect use by businesses or consumers.
Microsoft has denied that its assessment of Office – sorry, Microsoft 365 – is accurate, claiming in a statement [PDF, translated from German]:
We ensure that our M365 products not only meet, but often exceed, the strict EU data protection laws. Our customers in Germany and throughout the EU can continue to use M365 products without hesitation and in a legally secure manner.
In the background are alterations made by Microsoft to a "data protection addendum" in September 2022 that the DSK claimed contained a "conceptually changed section as a result of the discussions with the working group about data processing" of telemetry and diagnostic data. The DSK goes on to claim that only the wording had changed, noting: "However, according to Microsoft, it has not made any adjustments to the actual processing," and that the US Clarifying Lawful Overseas Use of Data Act (CLOUD Act) of 2018 and FISA 702 provided "disproportionate access rights for US secret services [providing]... no judicial legal protection for EU citizens."
The ruling said the "use of personal data of users (e.g. employees or students) for the provider's own purposes excludes the use of a processor in the public sector (especially in schools)." The watchdog went on to note the legal basis of "entitled interest" under article 6 of the GDPR was therefore not relevant.
- France says non to Office 365 and Google Workspace in school
- Zoom adds email and calendar to its apps, to relieve the crushing burden of ALT-TAB
- FYI: Microsoft Office 365 Message Encryption relies on insecure block cipher
- Microsoft leaves the Office, rebrands everything as 365
- Excel's comedy of errors needs a new script, not new scripting
When asked for further comment, a Microsoft spokesperson said: "Microsoft 365 products meet the highest industry standards for the protection of privacy and data security. We respectfully disagree with the concerns raised by the Datenschutzkonferenz and have already implemented many suggested changes to our data protection terms. We remain committed to working with the DSK to address any remaining concerns."
Matthias Pfau, founder of the encrypted email service Tutanota, opined of the ruling: "It is unbelievable that American online services continue to trample on the European GDPR more than four years after it was passed... Instead of relying on voluntary cooperation, much harsher consequences must be drawn here; for example, by using completely different systems. Linux with Open Office is a very good alternative to which schools and authorities should switch immediately."
Earlier this month, France's minister of national education and youth echoed these concerns, saying free versions of Microsoft Office 365 and Google Workspace should not be used in schools. ®