State of Hesse says student and teacher information could be “exposed” to US spy agencies.
The state’s data-protection commissioner has ruled that using the popular cloud platform’s standard configuration exposes personal information about students and teachers “to possible access by US officials”.
That might sound like just another instance of European concerns about data privacy or worries about the current US administration’s foreign policy.
SEE: IT pro’s guide to GDPR compliance (free PDF)
But in fact the ruling by the Hesse Office for Data Protection and Information Freedom is the result of several years of domestic debate about whether German schools and other state institutions should be using Microsoft software at all.
Besides the details that German users provide when they’re working with the platform, Microsoft Office 365 also transmits telemetry data back to the US.
Last year, investigators in the Netherlands discovered that that data could include anything from standard software diagnostics to user content from inside applications, such as sentences from documents and email subject lines. All of which contravenes the EU’s General Data Protection Regulation, or GDPR, the Dutch said.
Germany’s own Federal Office for Information Security also recently expressed concerns about telemetry data that the Windows operating system sends.
To allay privacy fears in Germany, Microsoft invested millions in a German cloud service, and in 2017 Hesse authorities said local schools could use Office 365. If German data remained in the country, that was fine, Hesse’s data privacy commissioner, Michael Ronellenfitsch, said.
But in August 2018 Microsoft decided to shut down the German service. So once again, data from local Office 365 users would be data transmitted over the Atlantic. Several US laws, including 2018’s CLOUD Act and 2015’s USA Freedom Act, give the US government more rights to ask for data from tech companies.
It’s actually simple, Austrian digital-rights advocate Max Schrems, who took a case on data transfers between the EU and US to the highest European court this week, tells ZDNet.
School pupils are usually not able to give consent, he points out. “And if data is sent to Microsoft in the US, it is subject to US mass-surveillance laws. This is illegal under EU law.”
Even if it weren’t, public institutions in Germany – such as schools – have a particular responsibility for what they do with personal data, and how transparent they are about that, Hesse’s Ronellenfitsch explained in a statement.
Despite ongoing discussions between German authorities and Microsoft, fulfilling those responsibilities hasn’t been possible.
A spokesperson for Microsoft tells ZDNet they are working on it: “We’re thankful the [Hesse] commissioner raised these concerns and we look forward working with [them] to better understand their concerns.”
The spokesperson also pointed out that Microsoft has taken the US government to court to protect customer data and that administrators of school and workplace accounts can themselves limit what information is sent back to Microsoft. The transmission of information cannot be switched off altogether, though.
Schools are far from the only public institutions in Germany with misgivings about Microsoft. Earlier this year, Vitako, Germany’s federal association of municipal IT service providers, complained that the use of Office 365 by local councils meant private information about German citizens who were, for example, applying for drivers’ licenses or marriage certificates, was potentially also exposed to US snooping.
For the money we spend on software licenses, one would expect a product that requires less management and offers more security, one senior IT administrator from the city of Cologne grumbled: “Instead it’s a costly risk for municipalities.”
In 2018, federal ministries and their various offices spent almost €73m ($82m) on licensing Microsoft programs – almost €26m ($29m) more than budgeted, most likely due to expiring licenses.
In a letter on the topic, the Ministry of the Interior said that while open-source software and other alternatives were being tried out, German ministries currently had few options other than Microsoft.
In fact, all this is just part of a much longer running fight about how Europeans can keep their data safe from US and Chinese eyes. Calls for Germany to work harder on ‘digital sovereignty’ are increasing.
“We have to consider this again and put realistic funding behind it,” Andreas Koenen, a senior member of the German Interior Ministry, argued for domestic cloud services at a conference in Berlin earlier this year. “The political situation is forcing this on us.”
The legal situation may soon do so, too. On Tuesday, a case brought by Austrian activist Schrems was heard in the European Court of Justice. Schrems already had one headline-making success there in 2015, when a case he brought overturned the so-called Safe Harbor agreement, which ruled on data transfers between the EU and the US.
The new case could challenge Privacy Shield, the rules that replaced Safe Harbor in 2016. Thanks to the way the case has proceeded in its country of origin, Ireland, it may now also contest so-called ‘standard contractual clauses’ governing the trans-Atlantic movement of data.
Some of Microsoft’s transfers of data are governed by these too, and it could result in major disruption of international data flows.
A decision is not expected from Luxembourg until mid-December. So in the meantime, school students in central Germany will just have to make do: The Hesse privacy commissioner has suggested they use similar office products with on-premise licenses, while everybody waits for Microsoft to get back to them.