In the past, German schools were able to make use of the 'German cloud' offered by Microsoft until mid of 2018. Then Microsoft ceased to offer a data trustee model that met German requirements in regards to privacy protection.
Now the German Data Protection Conference (DSK) has analyzed Microsoft's offering for German schools and authorities and issued a damning statement.
According to the German DSK officials, Microsoft 365 is in breach of data protection laws (GDPR). It is therefore not suitable for legally compliant use in schools or public authorities in Germany.
Although there has been slight progress with Microsoft's new "Products and Services Data Protection Addendum", this is by no means sufficient to meet the legal requirements for privacy and security.
Matthias Pfau, founder of the encrypted email service Tutanota comments:
"It is unbelievable that American online services continue to trample on the European GDPR more than four years after it was passed. Obviously, large American corporations are putting up with any complaints and also penalties because the business model - "use my service and I'll use your data" - is extremely lucrative for them. Instead of relying on voluntary cooperation, much harsher consequences must be drawn here; for example, by using completely different systems. Linux with LibreOffice is a very good alternative to which schools and authorities should switch immediately. As long as schools and authorities continue to use Microsoft - albeit installed locally - Microsoft obviously sees no reason to respect European data protection rules."
"Other cloud solutions such as e-mail and calendar do not have to be used by Microsoft. There are now very good and fully encrypted services, such as Tutanota from Hanover. Here, privacy and data protection are guaranteed, plus all data is stored on German servers."
In the statement the DSK says:
"Controllers must be able to meet their accountability obligations pursuant to Art. 5 (2) GDPR at all times. When using Microsoft 365, difficulties can still be expected in this regard on the basis of the "data protection supplement", as Microsoft does not fully disclose which processing operations take place in detail. In addition, Microsoft does not fully disclose which processing operations are carried out on behalf of the customer or which are carried out for its own purposes. The contractual documents are not precise in this regard and do not allow for conclusive evaluation of processing, which may even be extensive, including for the company's own purposes."
"The use of personal data of the users (e.g., employees or students) for the provider's own purposes precludes the use of a processor in the public sector (especially at schools)."
The new evaluation followed after an update of Microsoft's "Products and Services Data Protection Addendum".
However, the changes made are not sufficient to meet privacy requirements for German schools and authorities.
Microsoft adopted some of the EU Commission's standard contractual clauses.
Microsoft explained in more detail how it evaluates data itself and for what purposes this is done. For example, the addendum states that Microsoft generates non-personal statistics from pseudonymized data and uses them for its own purposes.
However, according to the Federal Data Protection Commissioner Ulrich Kelber, it is still unclear which data is used for the company's own agendas. It is still not possible to assess from the outside what information Microsoft is collecting and how they are using this data for their own purposes.
In addition the DSK criticizes data transfer to the US, which makes the data accessible to American authorities:
"The working group's discussions with Microsoft confirmed, in accordance with the contractual provisions, that personal data will in any case be transferred to the USA when Microsoft 365 is used. It is not possible to use Microsoft 365 without transferring personal data to the USA."
In conclusion of the analysis of Microsoft's "Products and Services Data Protection Addendum", the DSK advises also private users not to use Microsoft 365, since one simply cannot rely on Microsoft handling the collected information in a privacy-compliant manner.
Microsoft, to the contrary, has issued a statement right after the DSK publication arguing that it would be possible to use Microsoft 365 in a legally compliant manner.
In very similar decisions, the Dutch and Danish privacy watchdogs have declared the use of Google and Gmail illegal in schools as well, also due to violations of the GDPR. Read more on these decisions here.
In 2019 already, the Hessian commissioner of Data Protection and Freedom of Information came to a similar conclusion as the scrutiny of the updated Microsoft addendum by the DSK just now.
In 2019, two privacy issues were criticized specifically:
For the Hessian commission of Data Protection and Freedom of Information the protection of children's data comes first:
"The critical aspect is if a school as a public institution may store personal data (of children) in a (European) cloud, which, for instance, is open to access from US-American authorities. Public institutions in Germany have a particular responsibility in regards to permissibility and transparency of the processing of personal data."
In consequence, the data commissioner reasons that the data processing by Microsoft is illegal. In addition, this can not be helped by asking parents for consent to data processing. This would not satisfy the particular protection rights of children in regards to article 8 of the General Data Protection Regulation (GDPR).
The Hessian commissioner also states that
"What is true for Microsoft is also true for the Google and Apple cloud solutions. The cloud solutions of these providers have so far not been transparent and comprehensibly set out. Therefore, it is also true that for schools the privacy-compliant use is currently not possible."
In addition, companies such as Microsoft have made the news with hacks where malicious attackers gained troves of data - all of which could have been prevented had the data on the Microsoft servers been end-to-end encrypted.
The privacy concerns are so severe that German schools must no longer use Office 365.
However, lots of schools, particularly trade schools, use Office 365 to prepare students for office work with Word, Excel etc. Instead of Office 365, these schools must now use on-premise licenses on local systems.
Schools that only use Office 365 for email also have the option to switch to a secure email service such as Tutanota. Here all data is stored encrypted on German servers, respecting the strict German privacy protection laws and in full compliance with the GDPR.
In the future, we plan to extend our secure email service that already incorporates an address book and a calendar into a fully encrypted Groupware Suite. A German or European alternative to Big Tech is needed so that schools and authorities can securely store citizens' data in the cloud.
tl:dr: The DSK's publication is mainly about putting pressure on Microsoft to comply with German data protection regulations; and less about everyone in Germany using other services. Still, it would be much better to have a real alternative to Microsoft, Google and Apple. That's what Tutanota is building right now. Started with secure emails, Tutanota now also offers an encrypted address book, an encrypted calendar and the encrypted contact form Secure Connect. Many more features are planned, and we estimate that in a few years we will be able to offer an encrypted groupware suite with built-in encryption and maximum respect for privacy.