Office 365 in schools illegal under data protection law

1. preliminary remark

For years, there has been a debate in Germany about whether schools can use Microsoft’s Office 365 software in a privacy-compliant manner. In August 2017, the Hessian Commissioner for Data Protection and Freedom of Information (HBDI) issued a statement on Microsoft’s Deutschland-Cloud as the only German supervisory authority for data protection following an extensive review. In its statement at the time, the HBDI determined that Office 365 can be used by schools in the Germany Cloud in a data protection-compliant manner, provided that the tools provided by Microsoft (e.g., role and authorization concept, logging, etc.) are applied appropriately by the schools. In August 2018, Microsoft informed the public that contracts would no longer be offered for the Germany Cloud and that sales of this product would be discontinued. Since then, the HBDI has received inquiries from a large number of teachers and school administrators, as well as school boards, regarding the use of Office 365 in the European cloud. In addition, Office 365 has been massively promoted in the school landscape by individual school boards in recent months, irrespective of the unresolved data protection issues.

2. why the cloud application of Office 365 is currently illegal

The use of cloud applications by schools is generally not a problem under data protection law. Many schools in Hesse are already using cloud solutions. Whether it’s the learning platform or the electronic class register, for example, schools can use digital applications in a way that complies with data protection requirements, provided that the security of data processing and the participation of students are guaranteed. The legal situation is different for Office 365 as a cloud solution. For years, regulators have been in discussions with Microsoft. The crucial aspect here is whether the school, as a public institution, can store personal data (of children) in a (European) cloud that is exposed to possible access by US authorities, for example. Public institutions in Germany have a special responsibility with regard to the permissibility and traceability of the processing of personal data. The digital sovereignty of state data processing must also be guaranteed. In addition, there is another problem that was brought to the public’s attention by the Federal Office for Information Security in the fall of 2018. With the use of the Windows 10 operating system, a wealth of telemetry data is transmitted to Microsoft, the contents of which have not been conclusively clarified despite repeated requests to Microsoft. Such data is also transmitted when using Office 365.

3. can school use consent to solve the problem?

Up to now, schools have been dependent on the consent of the data subjects, insofar as digital, personal data processing takes place in or through schools. Whether the consent of the data subjects justifies digital, personal data processing in certain situations can be left open. In any case, in connection with the use of Office 365 in the cloud, consent does not offer a solution because the security and traceability of the data processing procedures are not guaranteed. Therefore, the data processing is inadmissible. Attempting to achieve a cure through a declaration of consent by the parents would also not sufficiently take into account the special protection rights of children, e.g. according to Art. 8 of the General Data Protection Regulation (GDPR). Thus, with the consent of the parents, the problem is not solved.

4. What are the prospects for using Office 365?

The HBDI is aware of the needs that vocational schools in particular have for the use of office packages. That is why there is also an interest in working with Microsoft to arrive at a solution that complies with data protection requirements. However, this is not due to the HBDI or the other federal regulatory authorities, but primarily to Microsoft itself. As soon as the possible access of third parties to the data in the cloud and the issue of telemetry data in particular have been resolved in a comprehensible and data protection-compliant manner, Office 365 can be used as a cloud solution by schools. Until that time, however, school can make use of other tools such as on-premises licenses on local systems.

5. other cloud solutions from e.g. Google and Apple

What is true for Microsoft is also true for Google’s and Apple’s cloud solutions. The cloud solutions of these providers have also not been presented transparently and comprehensibly to date. Therefore, it is also true here that data protection-compliant use is currently not feasible for schools.

Author: Marian Härtel

Marian Härtel ist Rechtsanwalt und Fachanwalt für IT-Recht mit einer über 25-jährigen Erfahrung als Unternehmer und Berater in den Bereichen Games, E-Sport, Blockchain, SaaS und Künstliche Intelligenz. Seine Beratungsschwerpunkte umfassen neben dem IT-Recht insbesondere das Urheberrecht, Medienrecht sowie Wettbewerbsrecht. Er betreut schwerpunktmäßig Start-ups, Agenturen und Influencer, die er in strategischen Fragen, komplexen Vertragsangelegenheiten sowie bei Investitionsprojekten begleitet. Dabei zeichnet sich seine Beratung durch einen interdisziplinären Ansatz aus, der juristische Expertise und langjährige unternehmerische Erfahrung miteinander verbindet. Ziel seiner Tätigkeit ist stets, Mandanten praxisorientierte Lösungen anzubieten und rechtlich fundierte Unterstützung bei der Umsetzung innovativer Geschäftsmodelle zu gewährleisten.