Breaking news
Read our blog to learn why privacy matters. And don't forget to get an encrypted mailbox yourself!

Office 365 declared illegal for German schools.

American cloud providers do not comply with strict German privacy protection laws and must not be used by German schools.

German schools must not use cloud offerings such as Office 365, G Suite and iCloud due to privacy violations. The Hessian commissioner of Data Protection and Freedom of Information issued a statement that given the missing transparency in regards to data protection and potential third-party access no personal data of German school children must be stored on Microsoft's, Google's or Apple's servers outside of Germany.

Office 365 banned in German schools

In the past, German schools were able to make use of the 'German cloud' offered by Microsoft until mid of 2018. Then Microsoft ceased to offer a data trustee model that met German requirements in regards to privacy protection.

More and more schools have asked the Hessian department of Data Protection and Freedom of Information whether they were allowed to use the European cloud instead.

Now the Hessian commissioner of Data Protection and Freedom of Information has issued a statement declaring that using the European cloud is illegal for German schools. According to the statement, Microsoft's European cloud does not satisfy German privacy regulations for use in schools.

Two privacy concerns

Two issues were criticized specifically:

  • American authorities can access data stored in the European cloud without the German government having control over this.
  • In Office 365 and Windows 10 lots of telemetry data is gathered and transmitted to Microsoft without Microsoft giving satisfying information about what is logged and transferred.

Protecting children's data

For the Hessian commission of Data Protection and Freedom of Information the protection of children's data comes first:

"The critical aspect is if a school as a public institution may store personal data (of children) in a (European) cloud, which, for instance, is open to access from US-American authorities. Public institutions in Germany have a particular responsibility in regards to permissibility and transparency of the processing of personal data."

In consequence, the data commissioner reasons that the data processing by Microsoft is illegal. In addition, this can not be helped by asking parents for consent to data processing. This would not satisfy the particular protection rights of children in regards to article 8 of the General Data Protection Regulation (GDPR).

The Hessian commissioner also states that

"What is true for Microsoft is also true for the Google and Apple cloud solutions. The cloud solutions of these providers have so far not been transparent and comprehensibly set out. Therefore, it is also true that for schools the privacy-compliant use is currently not possible."

In addition, companies such as Microsoft have made the news with hacks where malicious attackers gained troves of data - all of which could have been prevented had the data on the Microsoft servers been end-to-end encrypted.

Consequences for German schools

The privacy concern is so severe that German schools must no longer use Office 365. However, lots of schools, particularly trade schools, use Office 365 to prepare students for office work with Word, Excel etc. Instead of Office 365, these schools must now use on-premise licenses on local systems.

Schools that only use Office 365 for email also have the option to switch to a secure email service such as Tutanota. Here all data is stored encrypted on German servers, respecting the strict German privacy protection laws, in full compliance with the GDPR.

Secure groupware suite is planned

In the future, we plan to extend our secure email service that already incorporates an address book and a calendar - everything encrypted by default - into a fully encrypted Groupware Suite.

tl:dr: While the Office 365 case in Germany is mostly about pressuring Microsoft into adhering to German privacy regulations rather than switching services, it would be much preferred to have a true alternative to Microsoft, Google and Apple. That's what Tutanota is building right now. Started with secure emails, Tutanota today also offers an encrypted address book, an encrypted calendar, and the encrypted contact form Secure Connect. Many more features are planned, and we estimate that in a few more years, we can offer an encrypted Groupware Suite with maximum respect of user privacy.