Microsoft 365 no longer welcome in German and French schools due to GDPR compliance concerns

On 7 December 2022, the Conference of the Independent Data Protection Authorities of Germany (DSK) issued a detailed report summarizing the results of a Microsoft Online Services audit. The key takeaway from the document is the DSK’s conclusion that the use of Microsoft 365 violates data protection law as set out in Art. 5 (2) General Data Protection Regulation (GDPR), which led to a formal restriction of software use in educational institutions. 

In parallel to the events in Germany, a similar situation was unraveling in France. On November 15, the French Ministry of National Education issued a statement that put an end to the use of Microsoft 365 for schools and students. The reasons mirrored the German case, with a strong emphasis on non-compliance with GDPR laws, the Schrems II judgment of the ECJ, as well as France’s internal doctrines.

Let’s take a step back and look into the core reasons for the ban and ways to mitigate the consequences. 

GDPR, one of the world’s strictest regulations on data privacy and security, affects not only European companies and citizens, but also global enterprises that operate on the territory of the EU. Companies that collect, process, and store EU citizens’ data are obliged to operate in compliance with the legislation. So, what went wrong in the case of Microsoft?

The CLOUD Act introduced in the US in April 2019, allowed US-based companies that operate internationally to store their data in off-premise cloud storage. The Act also gave US Governmental agencies the right to request access to user data stored on US companies’ servers. Given that US courts can request US companies to issue data about any person or entity, US government agencies have also gained access to sensitive information of foreign individuals and companies whose data is stored on US servers. This, however, goes against the provisions of the European GDPR legislation. The provisions of the CLOUD Act caused serious concerns around GDPR compliance in many European countries, including Germany and France. Under the recent bans issued by the latter, it became illegal for public education institutions to use Microsoft 365 unless they are able to store their data within the local country’s borders. 

Another issue that facilitated the ban concerns the protection of minors' data. Under the GDPR legislation, individuals that haven’t reached the age of eighteen can’t consent to any form of data storage. Regulators are also concerned that Microsoft is using the collected telemetry & diagnostic data for self-interested purposes, which is particularly hard to justify under the GDPR. Along with this, concerns have been raised about Microsoft’s data retention and deletion policy.

Looking into the near future, there is a high likelihood that other European states will follow the example of France and Germany and adopt similar bans against multinational corporations such as Microsoft, Google, and Amazon. In a nutshell, there are three major issues confronting the use of their products in the EU:

• Data localization – EU legislation calls for local data storage;
• Data sovereignty – institutions must have full ownership of user data, preventing unauthorized disclosure to US authorities;
• Minors’ data protection – GDPR calls for transparent retention and deletion policies with regard to the records of individuals under 18 years of age.

Yet, even if Microsoft fails to take the necessary action to address the aforementioned issues, organizations that want to continue using Microsoft 365 can still do so by implementing GDPR-compliant workarounds. Let’s discuss some possible options. 

While the statements of DSK and the French Ministry of National Education put strict limitations on the use of Microsoft 365, organizations should not rely solely on Microsoft to take action. Instead, it is important to understand the possible opportunities for mitigating the risk associated with the software and ensure compliance with GDPR.  

Public educational institutions in France, Germany, and other European states, along with private organizations across the EU can continue using Microsoft products under one condition – data sovereignty. What does this mean? 

In simple words, data sovereignty is the key to full control over data ownership, localization, and disclosure. The ability to decide where their data is stored and who has access to it, even when the software is developed by foreign companies, is crucial for organizations that want to use the tools and applications they love in full compliance with local regulations. 

Some steps we suggest taking to ensure compliant and secure use of Microsoft 365 for EU-based businesses and organizations:

• Assess options to avoid third-country data transfer;
• Adjust software preferences to reduce data sharing and enhance privacy settings;
• Perform a data protection impact assessment (DPIA);
• Leverage Worldr’s solution for Microsoft Teams to protect corporate and client communications so no third-party can access them.