Office 365 declared illegal in schools in Germany

Microsoft 365 is banned in German schools.

The thing in Germany with the office suites seems like a soap opera. Years ago we were happy when the city of Munich decided to switch to Linux and LibreOffice. Some time later they elected a former Microsoft collaborator as mayor and the decision was reversed. Now we learned that throughout Germany there is a ban on the use of Microsoft 365 in all schools.

Of course, the situation is not the same. In this case we are not talking about a computer program installed on each computer or the cost of licenses. We talk about a cloud solution and privacy concerns.

Why is Office 365 illegal?

In short, because the DSK, the German data protection agency decided that in the face of what it considered a lack of transparency regarding data protection and possible access by third parties, personal data of German school children must not be stored on Microsoft servers outside of Germany

This happens after two years of fruitless negotiations with the North American company. At one time, Microsoft gave the option of storing the information in data centers located in Germany, but that option is no longer available and the German authorities considered that Microsoft 365 (The current name of the cloud office suite) no complies with European regulations for the protection of personal data. As a consequence, the Microsoft product is not suitable for use in schools. 

The salient points of the DSK opinion are:

Controllers must be able to fulfill their liability obligations pursuant to Art. 5 (2) GDPR at all times. When using Microsoft 365, difficulties can still be expected in this regard on the basis of the 'data protection supplement'. Microsoft does not fully disclose what processing operations are carried out in detail. In addition, Microsoft does not fully disclose which processing operations are carried out on behalf of the client or which are carried out for its own purposes. The contractual documents are not precise in this regard and do not allow a conclusive evaluation of the treatment, which can even be extensive, even for the company's own purposes.

The use of personal data of users (eg employees or students) for the provider's own purposes excludes the use of a processor in the public sector (especially in schools).

Also, the DSK does not like data transfer to the US either. because this automatically gives the authorities of that country access to the information.

Working group discussions with Microsoft confirmed, in accordance with contractual provisions, that personal data will in any event be transferred to the US when using Microsoft 365. It is not possible to use Microsoft 365 without transferring personal data to The USA.

For the same reason, the DSK also advises private users not to use Microsoft 365, as Microsoft simply cannot be trusted to handle collected information in a privacy compliant manner.

En LinuxAdictos ya we had commented on similar measures taken in Germany and other European countries against Google products.

Although I cannot help but agree with the measure and the reasons given for taking it, I can't help but wonder if behind the defense of user privacy there isn't an intention to implement protectionist measures covert. Competitors from Google and Microsoft came out to applaud the move. One of them was Matthias Pfau, founder of the encrypted email service Tutanota:

It is unbelievable that American online services continue to trample on the European directive more than four years after it was passed. Obviously, the large American corporations are enduring the complaints and also the sanctions because the business model - "use my service and I use your data" - is extremely lucrative for them. Instead of relying on voluntary cooperation, much tougher measures must be applied here; for example, by using completely different systems. Linux with LibreOffice is a very good alternative that schools and authorities should switch to immediately. As long as schools and authorities continue to use Microsoft, albeit locally installed, Microsoft obviously sees no reason to respect European data protection standards."

Other cloud solutions, like email and calendar, don't have to be from Microsoft. Now there are very good and fully encrypted services, like Tutanota of Hanover. Here, privacy and data protection are guaranteed, and all data is stored on German servers.

Leave a Comment

Your email address will not be published. Required fields are marked with *



  1. Responsible for the data: AB Internet Networks 2008 SL
  2. Purpose of the data: Control SPAM, comment management.
  3. Legitimation: Your consent
  4. Communication of the data: The data will not be communicated to third parties except by legal obligation.
  5. Data storage: Database hosted by Occentus Networks (EU)
  6. Rights: At any time you can limit, recover and delete your information.

  1.   José said

    If it is not suitable for schools, it will not be for companies either. Sensitive data is stored in all companies and institutions that use office365. There are many tenders requesting thousands of euros for licences.