It is now illegal for schools in the central German state of Hesse to use Microsoft’s Office 365 productivity software thanks to a ruling by the state’s Commissioner for Data Protection and Freedom of Information (HBDI), who recently declared that the cloud-based platform violates German privacy laws.
They argued that it exposes students and teachers’ personal information to “possible access by U.S. authorities”.
The HBDI’s decision is a striking example of how overly restrictive privacy laws can leave European consumers worse off by making valuable technology off limits.
Germany is known to have a particularly sensitive approach to privacy and has been on a mission to influence strict data protection rules in the EU as a remnant of its past under East Germany’s communist regime.
Martin Selmayr, the German soon-to-be-ex General Secretary of the European Commission, was the architect behind the General Data Protection Regulation (GDPR), which is no coincidence given his grandfather was a West German intelligence chief in charge to combat the Stasi.
'Harming access to education'
The consequences of history are still present, but associating the use of innovative technologies by schools with surveillance and control is misleading.
Germany’s stronger reactions, suspicion, and stricter requirements are ultimately harming businesses and access to education.
The HBDI is objecting to schools using Office 365 because Microsoft stores data in the U.S. and the General Data Protection Regulation (GDPR) prohibits data processors from storing data outside the EU without first obtaining users’ consent.
The GDPR allows parents to provide consent for their children, but only to the extent authorized by local authorities. In this case, the HBDI is not allowing parents to provide consent for their children, so schools are effectively barred from using Office365.
This prohibition makes no sense. The rationale for preventing data transfers to other countries is to limit illegitimate government surveillance.
But the US government can request access data stored by US companies even when that data is stored abroad—a requirement made clear when the US Congress passed the CLOUD Act—so whether Microsoft stores data in the United States or Germany makes little difference.
In addition, the data involved is innocuous. Students mostly would be storing documents in the cloud, and the FBI has better things to do than read homework assignments of schoolchildren.
Office 365 also collects various types of diagnostic data, such as load times, software versions, and file sizes—most of it not about the students themselves—and this type of data is primarily used for improving software performance and troubleshooting.
Microsoft does not disclose that information to third parties, so it is highly unlikely to cause harm to individuals, who can also choose to disable the collecting of certain data and even delete it.
The HBDI’s decision could also apply to Microsoft Windows 10, since it collects similar application data, as well as Office 365 competitors, such as Google Docs and Apple’s iWork. This restriction will prevent students and teachers at these schools from using these tools, which are often provided free of charge.
The German state’s overbearing watchdog would still allow schools to use “other tools such as on-premise licenses on local systems.” In other words, students will have to make do with older, non-cloud-based software with fewer features and less interoperability.
Given that employers are always asking for workers with strong digital literacy, keeping students from accessing one of the most common business tools in the world is completely misguided. In addition—and rather ironically—the HBDI’s decision could put the security of students’ personal data at risk.
Running older software can expose organizations to greater security risks, and some alternatives to Office 365, such as Zoho Office, are attractive targets for attackers because their security features are more lax.
This decision is an egregious example of how privacy regulators can fail to balance privacy with innovation. If there was some question about the way in which companies obtain the necessary consent to process student data, the regulators should have worked with the private sector to resolve this issue.
Protecting customers, not limiting innovation
After all, Microsoft has been a willing partner in past efforts to protect user information—including by suing the U.S. Justice department to challenge government access to its customers’ data. The HBDI should have acted constructively by notifying Microsoft and clarifying its expectations to the firm before expediting a ban.
The European Commission recently called for data protection authorities to help and support companies, yet this decision sanctions conduct before the facts have even been established.
The goal of privacy laws should be to protect consumers, not limit innovation. Accomplishing this requires regulators to act carefully and deliberately. This decision by the HBDI will do nothing to improve student privacy, but it will leave students worse off.