Data protectionists see Microsoft 365 in authorities as not legally compliant

German authorities and public institutions such as schools should stay away from Microsoft 365. According to a report from the magazine, this is the result The mirror the sub-working group of the data protection conference of the federal and state governments (DSK), which was set up at the end of 2019 and specifically dealt with Microsoft 365 (formerly Office 365). The program suite, which includes products such as Word, Excel, PowerPoint, the Teams communication application and OneDrive cloud storage, cannot be used in accordance with the rules.

The experts have the report of the Mirror according to contracts and documents evaluated and should have come to the conclusion in the context of their month-long investigation that “no data protection-compliant use of Microsoft 365 is possible”. However, the DSK has not yet published the results of the analysis. This is due to the fact that not all state data protection officers are of the opinion that urgent action is required, writes with reference to the report. Above all, there is an objection from the supervisory authority in Bavaria.

In a circular e-mail, the inspectors there reportedly described the working group’s formulations as legally questionable and opposed its publication. Microsoft Germany is based in Munich.

A spokesman for the Bavarian data protection officer Thomas Petri had previously told heise online that there were at least “open questions” about the use of the team software in schools in the state. The authority did not want to comment on a “brief report on the use of Office 365 under Windows 10 in schools” by a Nuremberg lawyer, according to which the software included transmits user data to Microsoft to a considerable extent in a non-transparent manner.

The Federal Data Protection Officer Ulrich Kelber confirmed this mirrorthat there is still a need for coordination within the group of colleagues and with Microsoft. He hoped that the DSK could soon give a joint assessment of the controversial Microsoft products.

The use of Microsoft 365, especially in schools, has long been controversial among German data protectionists. In July 2019, for example, the Hessian data protection officer Michael Ronellenfitsch took the view that the package should not be used, at least in the standard configuration, due to problems with the privacy of the students. A month later, he backed off a bit and declared that he would tolerate the use of the cloud application of the office package from certain versions by educational institutions at least until further notice.

The Berlin data protection officer Maja Smoltczyk recently showed video systems such as Teams, Skype, Zoom or Google Meet the red card. The supervisory authority in North Rhine-Westphalia said in summer 2019 that Office 365 in particular could not be recommended. The Baden-Württemberg inspector Stefan Brink complains about “structural defects” in the product. EU data protection officer Wojciech Wiewiórowski recently criticized that responsibilities are not traceable and data flows cannot be checked in detail, so that the Brussels committees should better look for alternatives.


To home page