Federal German data protection regulators have banned the use of Microsoft 365 in schools over concerns about data collection and the use of U.S. cloud providers.
In a report, Datenschutzkonferenz (DSK) concluded that Microsoft 365 is not legally compliant with the General Data Protection Regulation (GDPR). The report said that Microsoft has not been able to resolve the compliance issues DSK raised and that the software “remains in breach” of German and E.U. data protection laws.
This revelation comes in the heels of a growing trend of European government institutions distancing themselves from U.S.-based tech providers.
In a statement, Microsoft said that it “respectfully disagrees” with DSK’s findings, and maintains that Microsoft 365 “exceeds” E.U.’s data privacy statutes.
Before the ban
German authorities first expressed concerns over Microsoft 365’s compliance with GDPR after the passage of the U.S. CLOUD Act in 2018.
The law allows U.S. federal law enforcement agencies to force U.S.-based technology companies via warrant or subpoena to produce requested data stored on servers, irrespective of where the data was stored.
In response, Microsoft provided German customers with a special cloud version hosted on Deutsche Telekom servers, with the telecom giant serving as a data trustee. This special arrangement was later terminated with Microsoft establishing new cloud regions in Germany under their network.
Trouble brewing for U.S. tech giants
Germany’s federal ban follows recent moves by other E.U. countries to restrict the use of U.S.-based tech solutions in government institutions.
Denmark’s data protection agency, Datatilsysnet, banned Google Workspace in schools. Google Workspace bundles Gmail, Calendar, Google Docs, and other Google services into one cloud-based suite.
French education minister Pap Ndiaye said that Microsoft 365 and Google Workspace violate E.U. data privacy rules, and has urged schools across France to stop using free versions of these services.
The Dutch justice ministry published a report detailing the data privacy risks of Microsoft services and their associated mobile apps. Nextcloud founder Frank Karlitschek commented on the Dutch report’s findings: “The usage of Teams, OneDrive and other Microsoft services is highly problematic, especially for the European public sector.”