The German State of Hesse is putting a firm foot down to protect user data by banning Microsoft's Office 365 in its public schools. According to the Hessian Commissioner for Data Protection and Freedom of Information (HBDI), Microsoft has not been transparent enough about the safety of the user data stored in the company's cloud. Without reassurance that data from schoolchildren will be kept safe from third-parties, the HBDI refuses to allow the state's public schools to run Office 365.
This has been a situation that was discussed between the HBDI and Microsoft for years, according to an official statement in German. Although the state has no issue with using cloud services — the statement acknowledges cloud services its schools currently use, such as storing electronic textbooks — Office 365 collects and transmits data in a way that can't be completely disabled by users and can't be managed.
According to a report by Ars Technica, in 2017, the HDBI initially permitted Office 365 in schools because it used a Microsoft cloud server located in Germany. A year later, the German cloud was closed, forcing schools to move their accounts to a European cloud instead. This cloud, claims the HDBI, allows access to third-parties, such as the U.S. authorities, without the consent of users — which violates the child privacy protection rules of the European Union's General Data Protection Regulation (GDPR).
The HDBI believes asking children to consent to third-party access of their data isn't a reasonable expectation. And, because this involves a child's personal information, the HDBI doesn't approve of a school, parent, or guardian giving consent on behalf of the child, either.
Therefore, they concluded, the use of Office 365 in Hesse public schools is illegal.
A Microsoft spokesperson sent a statement to various outlets stating that the company is willing and eager to work with the HDBI to understand the privacy concerns. The Hessian Commissioner also seems willing to work with Microsoft to work out a privacy-compliant solution as well. Presumably, as long as Microsoft can keep third-parties from accessing the schoolchildren's data, the HDBI will be happy. In the meantime, Hessian public schools were encouraged to use alternatives or 'on-premise licenses' — software that's installed directly on computers rather than access from the cloud — such as Microsoft Office 2013.
In addition to enforcing privacy regulations, this strike against Microsoft also serves as a warning to other huge tech companies like Google and Apple. Ars Technica quoted the HDBI, stating:
"What is true for Microsoft is also true for the Google and Apple cloud solutions. The cloud solutions of these providers have so far not been transparent and comprehensibly set out. Therefore, it is also true that for schools the privacy-compliant use is currently not possible."
Recently, governments in the EU and the US have been increasing their scrutiny of tech conglomerates and the handling of user information. The EU has gleefully slapped fines on tech giants for mishandling data and dodging regulations. And companies, such as AT&T, have been sued for selling customer data to third-parties. The battle over private user information will likely continue to grow as consumers and regulators become more critical, and less trusting, of tech companies.