Federal German data protection authorities have banned the use of Microsoft Office 365 in schools due to privacy concerns around the use of US cloud providers.
The German Data Protection Conference (DSK) – which consists of the German Federal Data Protection Authority and 16 state regulators – said that, given the lack of transparency around how Microsoft collects and processes personal data, as well as the potential for third-party access to it, the use of O365 is not legally compliant with the General Data Protection Regulation (GDPR).
“Microsoft does not fully disclose which processing operations take place in detail. In addition, Microsoft does not fully disclose which processing operations are carried out on behalf of the customer or which are carried out for its own purposes,” said a report by the DSK working group looking at the issue.
“The contractual documents are not precise in this regard and do not allow for conclusive evaluation of processing, which may even be extensive, including for the company’s own purposes,” the report continued.
“The use of personal data of the users (eg. employees or students) for the provider’s own purposes precludes the use of a processor in the public sector (especially at schools).”
This essentially means that, due to the lack of transparency, it is impossible for regulators to assess from the outside exactly what information Microsoft is collecting, and how it is using this data, making it unlawful to use under GDPR.
The report added the working group’s discussions with Microsoft confirmed that personal data would always be transferred to the US when O365 is used, claiming it was “not possible to use Microsoft 365 without transferring personal data to the USA”.
In July 2020, the European Court of Justice (ECJ) struck down the EU-US Privacy Shield data-sharing agreement, which the court said failed to ensure European citizens have adequate right of redress when data is collected by the US National Security Agency (NSA) and other US intelligence services.
The ruling, colloquially known as Schrems II after the Austrian lawyer who took the case to the ECJ, also cast doubt on the legality of using standard contractual clauses (SCCs) as the basis for international data transfers, finding that although these were legally valid, companies still had a responsibility to ensure that those they shared the data with granted privacy protections equivalent to those contained in European Union (EU) law.
Long-standing issues
The DSK working group has been actively looking at how to improve O365 to ensure compliance with European data protection standards for two years, after Microsoft discontinued its German cloud offering in August 2018 and state regulators started flagging issues with the service.
In July 2019, for example, the Hessian Commissioner of Data Protection and Freedom of Information highlighted problems with O365, specifically that the use of an American cloud provider would allow US authorities to access data stored in a European cloud, and that a lot of telemetry data was being gathered and transferred without sufficient logging of the activity.
The Hessian Commissioner consequently banned the use of O365 in schools throughout the German state of Hesse, and noted at the time that “what is true for Microsoft is also true for the Google and Apple cloud solutions”.
“The cloud solutions of these providers have so far not been transparent and comprehensibly set out. Therefore, it is also true that for schools, privacy-compliant use is currently not possible,” added the commissioner.
While Microsoft agreed with the working group to make a number of changes to its systems, including adopting some of the European Commission’s SCCs and laying out in greater detail how it processes data, the changes were deemed insufficient by the DSK. These changes were detailed in an updated version of Microsoft’s Products and services data protection addendum.
Referencing the working group report in a separate statement, the DSK said: “The proof of data controllers to operate Microsoft 365 in compliance with data protection law cannot be provided on the basis of the data protection addendum of 15 September 2022 provided by Microsoft.
“In particular, as long as the necessary transparency about the processing of personal data from commissioned processing for Microsoft’s own purposes is not established and its lawfulness is not proven, this proof cannot be provided.”
Microsoft responds
Microsoft, however, contends that it is still possible for German schools to use O365 in a legally compliant manner and that its products “not only meet, but often exceed, the strict EU data protection laws”.
It said the DSK’s concerns do not adequately take into account changes the company has already made to its systems, and stem from “several misunderstandings” about how its services work.
“We have worked closely with the DSK throughout the review process and have responded to the concerns raised with several sweeping changes,” said Microsoft. “Examples of this are an improved notification procedure for changes of sub-processors and further clarifications regarding the processing of personal data by Microsoft for Microsoft business activities prompted by the provision of the services to customers. Microsoft has fully cooperated with the DSK, and while we disagree with the DSK’s assessment, we would like to address any remaining concerns.
“We take DSK’s demand for more transparency to heart. While our transparency standards already exceed those of most other providers in our sector, we are committed to becoming even better. In particular, as part of our planned EU data border, we will provide further documentation on our customers’ data flows and the purposes of processing in the interests of transparency. We will also provide more transparency about the locations and processing by sub-processors and Microsoft employees outside the EU.”
It added: “In the interests of greater transparency, we would appreciate the full report being released with the detailed responses and comments submitted to Microsoft’s DSK, but with appropriate redacting.”
While Microsoft had committed to creating an EU Data Boundary by the end of 2022, data protection experts have previously criticised the move as a tacit admission that data is being routinely processed outside the bloc, claiming there is no feasible way it would prevent European citizens’ data from being transferred overseas to the US where there is a lower standard of protection.
In its response to the DSK, Microsoft said the Data Boundary would “significantly reduce the flow of data from the EU to other countries… [enabling] public sector and corporate customers in the EU and across the European Free Trade Association to process and store customer data in the region”.
Following the publication of the working group report, federal data protection commissioner Ulrich Kelber said while Microsoft had made “progress in individual points”, data protection authorities would “have to look [at] individual cases to see whether data protection compliance can still be achieved”.
Kelber added that he doubted O365 could “simply be used on a computer without further protective measures”.
Commenting on the DSK’s findings, Matthias Pfau, founder of the encrypted email service Tutanota, said it was “unbelievable” that US-based cloud services continue to trample on European data rights more than four years after the introduction of the GDPR in May 2018.
“Obviously, large American corporations are putting up with any complaints and also penalties because the business model – ‘use my service and I’ll use your data’ – is extremely lucrative for them. Instead of relying on voluntary cooperation, much harsher consequences must be drawn here; for example, by using completely different systems,” he said.
“Linux with Open Office is a very good alternative to which schools and authorities should switch immediately. As long as schools and authorities continue to use Microsoft – albeit installed locally – Microsoft obviously sees no reason to respect European data protection rules.”