Privacy Authority of German State Bans the Use of Office 365 in Schools

Last updated May 17, 2024
Written by:
Bill Toulas
Bill Toulas
Cybersecurity Journalist

The data privacy authority of the Hesse state in Germany has decided to outlaw the use of Office 365, Microsoft’s cloud-based service. The banning applies to the schools of the state, with the relevant press release covering Google and Apple cloud services as well. The authority has deducted that none of these products can possibly be used in compliance with the data protection regulations that apply in the country, and so the massive promotion of Office 365 in the German education system needs to be immediately stopped.

Even if children would be allowed to use Office 365 after the parents’ consent, it would still not be enough to circumvent the provision of Article 8 of the General Data Protection Regulation. Even with parental permission, the children’s data in the cloud will still be accessible for processing by the host company, and also traceable. Simply put, the privacy authority believes that Microsoft cannot guarantee the safety of the data, and in addition to that, it is technically clear that Office 365 transmits telemetry data to the company in the same way that the Windows 10 OS does. Although the entity has repeatedly requested for clarifications about what this data entails, Microsoft has not provided any clarifications.

What the Hessian Commissioner suggests as a solution is that schools should acquire software licenses and use MS Office suites locally, with all user data remaining on systems that are on the premises. It is disappointing, to say the least, that the privacy commission is not proposing the use of open-source alternatives such as LibreOffice, which would also help them cut costs, so it looks like the authority is after convincing Microsoft to comply with the data protection laws rather than ditch their products altogether.

To all this, Microsoft responded with the following announcement: “We routinely work to address customer concerns by clarifying our policies and data protection practices, and we look forward to working with the Hessian Commissioner to better understand their concerns. When Office 365 is connected to a work or school account, administrators have a range of options to limit features that are enabled by sending data to Microsoft. We recently announced, based on customer feedback, new steps towards even greater transparency and control for these organizations when it comes to sharing this data. In our service terms, we document the steps we take to protect customer data, and we've even successfully sued the U.S. government over access to customer data in Europe. In short, we're thankful the Commissioner raised these concerns and we look forward to engaging further with the Commissioner on its questions and concerns related to Microsoft's offerings.”

Are you convinced by Microsoft’s response? Do you think that the Hessian Commissioner is taking things too far, or is the ban of Office 365 justifiable? Let us know of your opinion in the comments down below, or on our socials, on Facebook and Twitter.



For a better user experience we recommend using a more modern browser. We support the latest version of the following browsers: For a better user experience we recommend using the latest version of the following browsers: