Trouble is brewing for educational institutes in Baden-Württemberg, Germany, which continue to work with Microsoft’s cloud-based Office 365 package despite repeated warnings by the data protection supervisory. The data protection authority in the Ländle writes in its activity report for the year 2022: „We urgently recommend that all schools switch over quickly. If we receive any further complaints, we will also investigate them.“
Due to Microsoft’s questionable data protection and compliance policies, which has been known for a long time, there is only a short period of time to act „in order to guarantee the rights and freedoms of the people concerned more quickly“.
Potential claims for damages for using Microsoft Office 365
Jan Wacke, who is currently in charge of the supervisory authority after the departure of data protection officer Stefan Brink, underpins the appeal with a reference to potential claims for damages under Article 82 of the General Data Protection Regulation (GDPR). The extent to which appropriate payments would be made to those affected by schools and how the courts would react to this „has yet to be seen“.
The authority advises the Ministry of Education, the supreme supervisory authority for schools, to „emphasise this problem in order to protect them from harm“. As part of the digital education platform, „good alternatives are now available„. Brink had previously fought for years to keep Microsoft out of the country’s offering and predominantly open source software is used.
„Individual schools“ are still using Microsoft 365 or parts of it, such as the Teams video conferencing solution, despite repeated warnings about privacy risks , the report says. On the other hand, there were „numerous complaints from parents and students“. As part of a pilot test with a specially configured version, the Office package could not be operated in compliance with data protection: „For numerous data flows and transmissions of personal data“, the examiners found „no legal basis“.
In addition, according to Wacke, „so far none of the schools we have contacted“ has been able to provide sufficient evidence „which refutes our findings and measurements for the configuration used in them“. Public authorities cannot simply trust manufacturers‘ performance promises.
Based on this article published in Heise (text in German)