Microsoft has once again run afoul of the GDPR rules in Germany, with the Commissioner for Data Protection and Freedom of Information in the German state Hesse, declaring that Windows 10 and Office 365 is not compliant with the GDPR for use in schools.

The issue is related to the telemetry both cloud-connected solutions send back to Microsoft in USA, which ranges from standard software diagnostics to user content from inside applications, potentially sentences from documents and email subject lines.

Previously Microsoft provided a special version of these software applications which stored the data in European data centres, but recently this permission was rescinded, and data was being sent directly to USA.

Michael Ronellenfitsch, Hesse’s data protection commissioner, said that public institutions in Germany “have a special responsibility with regard to the permissibility and traceability of the processing of personal data.”

Ronellenfitsch adds, “As soon as, in particular, the possible third-party access to the data in the cloud and the issue of telemetry data have been resolved in a comprehensible and data protection-compliant manner, Office 365 can be used as a cloud solution by schools.”

He noted Microsoft’s issues also affected other IT solution providers, saying “What is true for Microsoft is also true for the Google and Apple cloud solutions. The cloud solutions of these providers have so far not been transparent and comprehensibly set out. Therefore, it is also true that for schools, the privacy-compliant use is currently not possible.”

That leaves schools with very few options, until Microsoft resolves the issue to Germany’s satisfaction, with the commission noting that “… school can use other tools such as on-premise licenses on local systems.”

That in effect means Windows 7 and boxed versions of Office 2016.

It is not clear yet how affected parties will react to this ruling and the possible disruption it would cause, but I suspect the simplest fix would be to simply revert back to European data centres.

The ruling (in German) can be read here.

Via ITWire

Comments