The Commissioner for Data Protection and Freedom of Information in the German state of Hesse has warned that the use of Office 365 and Windows 10 in local schools was illegal under the European Union’s stringent GDPR rules. According to commissioner Michael Ronellenfitsch, the software exposes personal user data “to possible access by US officials”. As for Windows 10, the commissioner cited a German Federal Office for Information Security (BSI) report, which claimed that the OS sends “a wealth of telemetry data to Microsoft”.
The development comes after Microsoft recently started sending back data from German users to its US servers instead of storing and processing them locally, as it had been doing earlier. While Microsoft’s earlier actions complied with local data protection laws, the recent decision to migrate the service back to US data centers is what’s believed to have brought about the latest advisory.
The concerns expressed by the commissioner, however, isn’t limited to Office 365. According to Ronellenfitsch, “What is true for Microsoft is also true for the Google and Apple cloud solutions. The cloud solutions of these providers have so far not been transparent and comprehensibly set out. Therefore, it is also true that for schools, the privacy-compliant use is currently not possible”.
It will be interesting to see how Microsoft handles the issue, because as long as the impasse continues, the schools caught up in the crossfire will not be able to use either of the aforementioned software, but instead, will have to make do with “other tools such as on-premise licenses on local systems”, which likely includes Office 2016 and the decade-old Windows 7.