Germany just banned its schools from using cloud-based productivity suites from Microsoft, Google, and Apple. The tech giants aren’t satisfying its privacy requirements with their cloud offerings, it warned.
The Hessische Beauftragte für Datenschutz und Informationsfreiheit (Hesse Commissioner for Data Protection and Freedom of Information, or HBDI) made the statement following a review of Microsoft Office 365’s suitability for schools.
Microsoft launched its Azure Deutschland presence in 2016, with a focus on the ‘data trustee’ model. A third party partner, Deutsche Telekom, provided the Azure services and used a private cloud to ensure that none of the resident data went through the public internet. Even Microsoft needed to jump through plenty of hoops to get at its customers’ data. That was a bid to placate German customers who were sensitive about data sovereignty and wanted to keep their data on German soil.
That made HBDI confident enough to allow schools there to use Office 365 in August 2017, just so long as they only used the German cloud.
An issue with data Microsoft is storing, and where
Then, in August 2018, things changed. Microsoft pulled out of the data trustee arrangement in Germany and started using its regular data centre model instead, removing the barrier between the rest of the global Azure cloud and its own German data centres.
School boards in Germany carried on promoting Office 365 in spite of the privacy issues this raised, explained HBDI, prompting it to review the situation. Its conclusions (translated in part below) were dire. It doesn’t have a problem with cloud access for schools in general, it said, just with the data that Microsoft is storing, and where.
The problem is twofold, it explained. Firstly, it isn’t happy with Microsoft storing personal data (especially children’s data) in a European cloud that could be accessed by US authorities, adding:
The digital sovereignty of state data processing must be guaranteed.
Its other issue is with Microsoft’s data slurping. It warned:
With the use of the Windows 10 operating system, a wealth of telemetry data is transmitted to Microsoft, whose content has not been finally clarified despite repeated inquiries to Microsoft. Such data is also transmitted when using Office 365.
HBDI is taking its lead from the Federal Office for Information Security, which posted a technical analysis of Windows 10 telemetry in November 2018 (chapters 1.2 onwards are in English).
Consent won’t cut it
You can’t solve this problem by asking users for consent, the HBDI added. If you can’t be certain what data Microsoft collects or how the company will use it, then you can’t give informed consent.
The problem is that lots of schools in Germany want software like this, HBDI acknowledges. So what can they do? That’s up to Microsoft, it says. The company must satisfy the issue of third-party data access and Windows 10 telemetry, then they can talk. Redmond-based tech giant probably shouldn’t leave things too long, it concludes:
By that time, however, schools may benefit from other instruments such as serving on-premises licenses on local systems.
Google and Apple in the same boat
Although the majority of the report focused on Microsoft Office 365, HBDI explicitly called out other cloud service providers, so schools can’t use Google Docs or Apple’s iWork either:
What is true for Microsoft is also true for the Google and Apple cloud solutions. The cloud solutions of these providers have so far not been transparent and comprehensible set out. Therefore, it is also true that for schools, privacy-compliant use is currently not possible.