German State of Hesse Officially Banned Office 365 Due to Privacy Issues

Recently, schools in Hesse - a state within Germany - are officially forbidden from using Microsoft’s Office 365 suite due to GDPR laws according to a ruling made by data protection commissioner of the area. The issue only arose after Microsoft shut down its data center in Germany last year’s August, exposing user data of European to be vulnerable to tampering of foreigners, especially the U.S.

How Microsoft Handles Users' Data

The telemetry system built into Windows 10 is responsible for the collection of a wide array of user data for use within its products and services in accordance with how the privacy settings are set. This data can be anything, ranging from a line within your e-mail, the e-mail subject line, and others that you might have used a Windows 10 service to translate. A paper also noted that if you set the telemetry set to ‘Enhanced’, crash logs of the computer will also be sent back to Microsoft, which can include a variety of sensitive information that the user could unwittingly disclose.

Microsoft’s response was prompt. A spokesperson of the company acknowledged the commissioner’s concern about students’ privacy when it comes to Office 365. However, he also pointed out that network or IT administrators can manually adjust the type of data that are sent to Microsoft when Office 365 is connected to a network, be it work or school. To further drive their selling point about privacy, Microsoft has also pointed out that they had introduced a few new privacy-related features that could provide better control over such data. The company also pointed out that they have successfully sued the U.S. government for perusing customer data overseas in Europe before. 

The spokesperson also expressed gratitude that the Commissioner has “raised these concerns”. The company also has shown its willingness to work with the Commissioner further on the matter and answer all: “questions and concerns related to Microsoft’s offerings”.

A Solution Is Needed

Microsoft did attempt to address these concerns before in the past, notably with the Windows Diagnostic Data Viewer launched last year. But if the Hessian’s data commissioner was any indication, this was far from enough of an effort. The commissioner will need the company to provide a stauncher proof that the data is, indeed, secured. Simply gaining more consents from users is far from enough, considering the type of data in question is related mostly to school children. 

But it would be unfair to Microsoft to say that it is the only company that is not compliant to the GDPR. In fact, the commissioner noted that schools in Hesse cannot use any cloud storage or cloud-based services, even from giants such as Google or Apple in a GDPR-compliant way. As of now, schools can only use non-cloud service packages such as Office 2019 unless Microsoft is willing to provide better assurances, data storage and security standards to the package.