[German]The use of Microsoft 365 at schools in German state of Baden-Württemberg has been banned after the summer 2022. Schools must offer suitable alternatives for students and teachers. This is pointed out by the State Commissioner for Data Protection and Freedom of Information of Baden-Württemberg, Dr. Stefan Brink, in a recent press release. This is a failure with an announcement, because the data protection officer had already noted in 2021 that he had serious concerns about the GDPR conform use of Microsoft 365 (including Office 365) in Baden-Württemberg's schools after an audit lasting several months.
Advertising
Ban after the end of this school year
In a statement dated April 25, 2022, the State Commissioner for Data Protection and Freedom of Information of Baden-Württemberg, Dr. Stefan Brink, comments on the use of Microsoft 365 (MS 365) in schools in this state. I became aware of the issue via the following tweet.
The message from the State Commissioner for Data Protection and Freedom of Information (LfDI) Baden-Württemberg is crystal clear:
As of the coming school year (2nd half of 2022), the use of MS 365 at schools must be terminated or its data protection-compliant operation must be clearly demonstrated by the responsible schools
After the summer vacations in 2022, schools must, according to the LfDI, offer alternatives to the MS 365 cloud service for school operations. Dr. Stefan Brink will soon approach schools known to him that use the cloud service Microsoft 365 (MS 365) or MS Teams from Microsoft. The LfDI will inform the schools of its legal assessment on the use of this online service and ask for a binding timetable for switching to alternatives. To bridge the gap until the summer vacations in 2022, the state commissioner expects that teachers and students will be offered alternatives.
Microsoft 365 not compliant with GDPR
The State Commissioner for Data Protection and Freedom of Information (LfDI) in Baden-Württemberg monitored the use of MS 365 over a long period of time in an intensive and extensive process. Fueatures of MS 365 that were particularly questionable from a general data protection perspective (GDPR) had already been switched off or deactivated as far as possible. This included, for example, the collection of telemetry and diagnostic data. Furthermore, additional security functions were implemented and accounts were only assigned to teachers, but not to students.
Advertising
In April 2021, the LfDI informed the Ministry of Education about the data protection assessment of this pilot project and recommended against using the tested version of MS 365 in schools due to high data protection risks and to promote alternative solutions. Despite intensive testing and cooperation with the parties involved, the pilot project did not succeed in finding a solution that complied with data protection law.
In a nutshell: Microsoft 365 cannot be used in schools in a privacy-compliant manner (GDPR compiant). The statement of the LfDI and the results of the audit have been publicly available for some time (e.g. via Documents Dokumente Online: Empfehlung zum Pilotprojekt zur Nutzung MS 365 an Schulen, Nov. 2021, and summary underHinweise des LfDI zur Nutzung von Microsoft 365 durch Schulen). The Ministry of Education and Cultural Affairs subsequently announced that it would rely on a data protection-compliant digital education platform in the future.
Alternative solutions
In his statement, the State Commissioner points out that alternative digital tools are now also available. These have already been used many times over a longer period of time and can still be used successfully.
- For example, Moodle or itslearning, which are offered to schools by the Ministry at no additional cost, can be used as learning management systems.
- The integration of the web conferencing system BigBlueButton is integrated in each case, so that video conferencing can also be carried out.
Schools that believe that their use and configuration of MS 365 meets the legal requirements and that wish to continue using the cloud service must now justify to the data protection officer how they intend to ensure data protection-compliant operation and clearly demonstrate this in accordance with their accountability obligations under Article 5(2) of the General Data Protection Regulation.
The entire process naturally throws a spotlight on Microsoft and its Office365 as well as Microsoft 365 solution. The company has had time and opportunity since 2020 to make the whole thing watertight in terms of data protection in accordance with the GDPR, but has probably not done so. Politicians and Microsoft acted according to the principle of "hope, we'll get through". At this point I won't address other questions like: Public money = Public code (which isn't useable for license feeds) or vendor lockin with Microsoft 365.
Advertising
why anyone would use MSN 365 is beyond me