The central German state of Hesse’s local Data Protection Authority (DPA) has banned the use of Microsoft 365 in its schools, citing concerns over privacy violations. According to the authority, the program’s settings gather data from within the users’ programs. This clearly violates the EU’s General Data Protection Regulation (GDPR) policies.
The Microsoft 365 debate has been a longstanding one in Germany. In 2018, several state courts, including the federal German court, found that Microsoft violated local laws connected to the GDPR. From there, the Microsoft 365 ban spread to France. The ban has mostly affected educational institutions and companies that work with these programs.
Microsoft Breaks Its Contract with Germany
The ban comes after Microsoft terminated its special arrangement for German users. Under the arrangement, Microsoft allowed Germany to hold its servers locally. This ensured that no user data left the country.
Since the termination of those arrangements and legislative developments in the US, three major issues now confront Microsoft 365 in the EU:
- EU authorities are calling for local-only servers
- Under a newly promulgated act, US agencies can access user data stored on US companies’ servers, even the data of non-US citizens
- Microsoft fails to guarantee minors’ data protection
Under the GDPR, those under 18 years old can’t consent for their data to be collected. Even on the platforms that do store such data, customers should be able to request the purging of records.
Since the prior arrangements have fallen through, Microsoft no longer uses strictly local servers from GDPR-compliant operators. Moreover, the US Clarifying Lawful Overseas Use of Data Act (CLOUD Act) of 2018 allows US agencies to sift through foreign data stored on US companies’ servers. Under the circumstances, the only solution was to ban the product, at least for all underage persons.
The solution for companies operating inside Europe is to get an on-premise server. Otherwise, they risk violating local and GDPR laws around underage and other users’ privacy.
Microsoft 365 Ban Due to GDPR Violations
Microsoft declared in late 2018 that it would no longer exclusively run its operations on the German telecom giant Deutsche Telekom’s servers.
Although the servers physically remain in European or German territories, Microsoft can now use them as they like.
At the heart of the issue is a clash between the US’s CLOUD Act of 2018 and the GDPR. Under the CLOUD Act, the US Government and its agencies can request any user’s data from US-based tech companies, including non-US citizens.
That means US agencies can get information stored on servers that are not physically in the US and fall under other jurisdictions. Under the legislation, the US courts can issue a request for data on any persons. This is strictly against the provisions of the GDPR.
So, under the new ban, companies or institutions in Germany can store files on private on-premise servers. If companies do not meet the condition, it would be illegal to use Office 365. Apart from Germany, courts in other countries have also illegalized Microsoft’s data practices.
Finally, observers criticize the CLOUD Act for how the US Congress wrote it into law in the first place. The US Congress passed it through the Consolidated Appropriation Act 2018, which was meant to prevent human trafficking. Critics argue that few house representatives were willing to debate against a human trafficking bill. Consequently, this allowed the CLOUD Act to piggyback on that sentiment.
Windows Might Be Next
Germany’s Federal Office for Information (BSI, in German) has already expressed concern that Windows 10 and 11 operating systems collect telemetry data, including typing data and even speech-to-text.
In response, German and French public schools switched to Linux operating systems and other Office 365 alternatives for their educational needs. On the other hand, private schools can opt for Windows operating systems after express permission from the parents.
Businesses must guarantee compliance with these countries’ local and GDPR rules if they want to continue business. Otherwise, the EU may move away from Windows and Apple devices over these privacy issues.
Issues under the CLOUD Act
The CLOUD Act of 2018 was controversial both in the US and Europe from its very beginning. US criticism of the act centered around the Fourth Amendment, which safeguards against unlawful search and seizures. But the act allows US courts to request user information from a company without the individual’s knowledge or consent.
In Europe, the Act did not go down well at all, as was expected. European legislators immediately quashed this act, to protect Europeans against US courts gathering, accessing, and keeping private data without citizens’ knowledge.
This situation puts companies like Apple, Google, Amazon, or Microsoft, between a rock and a hard place. This is because these companies must comply with the EU’s GDPR and the US CLOUD Act. The only solution, however, is to use private servers for personal data in the EU.
During the pandemic, we witnessed a considerable rise in cloud-based services. Microsoft Azure and Amazon Web Services were in the lead as the biggest global suppliers of cloud services.
These companies, however, are facing a major hurdle to their business in the EU. In fact, GDPR is in conflict with US legislation requiring companies to share data with the US government.
For companies that operate in Europe and collect customer information in any way, this doesn’t bode well.
Primarily, companies have issues guaranteeing that they do not collect any information on underage persons.
Because students use Microsoft products extensively for educational purposes, especially Office 365, the move to other types of software can create serious problems in these companies’ operations.
Public institutions in France and Germany might be short on budget in sidestepping the ban. Conversely, private companies and institutions do have an option to comply with the domestic rules without facing any major issues.
The only option these companies and institutions have is to get on-premise servers or local servers to store customer information. Companies in sales, marketing, or media would only need to hold customer information on the in-house devices, not their entire setup. This, in turn, significantly lowers the cost of these solutions.
The option, though, creates financial and technical hurdles for European entrepreneurs. It also sets the bar for entry into business way higher. Dropshippers and other online entrepreneurs may want to conduct business outside non-EU countries to avoid possible hurdles.