Microsoft Office in trouble in Germany due to GDPR
Microsoft’s suite of productivity apps, Microsoft 365, is in hot water with German authorities due to an alleged incompatibility with the data protection laws of Germany and the rest of the European Union.
Microsoft has been in negotiations with Germany’s state and federal data protection authorities since 2020 about the compatibility of its 365 utility with the EU’s data protection laws. According to a report written by the Datenschutzkonferenz (DSK), Microsoft is still in breach of the General Data Protection Regulation (GDPR).
The main issue seems to be that under the GDPR, individuals under 13 years of age are not capable of consenting to data collection. Permission may be given by a guardian or other holder of parental responsibility for children under 16 years of age, but the law is clear about companies not being able to collect data from children younger than 13. The unofficial agreement with data collection is that should data be collected from a consenting adult, that person retains the agency to request that their data be deleted.
Unfortunately, while Microsoft 365 is incredibly useful in school situations, use of the utility requires users to consent to data collection. Particularly, the report highlights that ‘Many of the services included in Microsoft 365 require Microsoft to access the unencrypted, non-pseudonymized data.’*
*The quote above has been translated from the native German used in the report into English.
Microsoft, however, maintains that ‘We ensure that our M365 products not only meet, but often exceed, the strict EU data protection laws. Our customers in Germany and throughout the EU can continue to use M365 products without hesitation and in a legally secure manner.’
The DSK alleges that Microsoft is still in breach of the law because it has only changed the wording of its policy, not the implications thereof. The final word on the ruling thus far is that the ‘use of personal data of users (e.g. employees or students) for the provider's own purposes excludes the use of a processor in the public sector (especially in schools).’
The Founder of Tutanota, an encrypted email service, Matthias Pfau, delivered his opinion of the situation subsequent to the ruling: ‘It is unbelievable that American online services continue to trample on the European GDPR more than four years after it was passed... Instead of relying on voluntary cooperation, much harsher consequences must be drawn here; for example, by using completely different systems. Linux with Open Office is a very good alternative to which schools and authorities should switch immediately.’
If you’re not familiar with the software, click here for our first look at Microsoft 365.Advertisement