Skip to main content

German state bans Office 365 in schools, citing privacy concerns

German state bans Office 365 in schools, citing privacy concerns


Schools in Hesse will have to rely on non-cloud software

Share this story

If you buy something from a Verge link, Vox Media may earn a commission. See our ethics statement.

Illustration by William Joel / The Verge

Schools in the German state of Hesse will no longer be able to use Microsoft’s Office 365 thanks to the EU’s GDPR rules, the state’s data protection commissioner has ruled. The Next Web reports that the issue arose after Microsoft closed its German data center in August last year, creating the potential risk for its users’ data to be accessed by US authorities. 

Windows 10’s telemetry system collects a wide array of data about how you use its products and services, depending on how your privacy settings are configured. This data can include email subject lines, and any phrases that you use Microsoft’s software to translate. ZDNet notes that if you have Windows 10’s telemetry data settings set to “Enhanced,” then it can also collect the contents of your system memory when a crash occurs, which could include sensitive information.

Cloud solutions from Google and Apple are also affected

Responding to the news, a spokesperson from Microsoft acknowledged the commissioner’s concerns, but pointed towards the options administrators already have to limit the amount of data that’s sent to the company when Office 365 is connected to a work or school account. They also said that the company has recently introduced new features to offer more control over this data, and pointed out that the company has previously successfully sued the US government over access to customer data in Europe.

“We’re thankful the Commissioner raised these concerns and we look forward to engaging further with the Commissioner on its questions and concerns related to Microsoft’s offerings,” the Microsoft spokesperson said.

In the past, Microsoft also attempted to address concerns over data collection with a Windows Diagnostic Data Viewer that it launched last year. But it seems the company will need to do more to address the concerns of the Hessian data protection commissioner, who wants more assurances about the security of how the data is processed. Simply gaining better user consent wouldn’t be enough to overcome these problems, because the school software is dealing with sensitive data relating to children.

This isn’t a problem that’s unique to Microsoft. The commissioner notes that it’s also not possible for schools in Hesse to use cloud solutions from Google and Apple in a GDPR-compliant way. For now, the only option for schools is to use a locally stored piece of software like Microsoft’s non-cloud Office 2019, unless the company is willing to provide better assurances about data security.

Update July 15th, 1:40PM ET: Updated with response from Microsoft.