The Hessian Commissioner for Data Protection and Freedom of Information has said that the use of Office 365 and Windows 10 was illegal under local data protection laws.

Hesse is one of German's states and the State's Privacy Commissioner has warned that data stored in the cloud by Office 365 could be accessed in the US. In effect, personal information related to teachers and students would be in the cloud and available to US agencies.

Michael Ronellenfitsch, Hesse's data protection commissioner, stated that, even if such information was stored in European data centres, it remained "exposed to possible access by US authorities".

Ronellenfitsch said public institutions in Germany "have a special responsibility with regard to the permissibility and traceability of the processing of personal data."

Further, the German Federal Office for Information Security (BSI) noted that Windows 10 sends "a wealth of telemetry data to Microsoft." BSI requested Microsoft to advise them what data they take, but had received no response. Commentary suggested that data could include anything from standard software diagnostics to user content from inside applications, potentially sentences from documents and email subject lines, all of which contravenes the EU's General Data Protection Regulation (GDPR).

For the past couple of years, Microsoft has provided a localised version of Office 365, which for quite some time Ronellenfitsch had supported, stating in 2017 that schools could use Office 365, provided that they adhere to Germany's data protection laws. Recently, permission to use that local resource was rescinded, when all services were migrated back to US data centres.

Ronellenfitsch asserts that mere consent to the rules Microsoft provides is not sufficient, because the data remains compromised as the security and traceability remain dubious.

Ronellenfitsch adds, "As soon as, in particular, the possible third-party access to the data in the cloud and the issue of telemetry data have been resolved in a comprehensible and data protection-compliant manner, Office 365 can be used as a cloud solution by schools." (translation via Google Translate)

The full statement (in German) is available here.

Buried in that statement is the observation (in German, translated using Google translate): "The HBDI is aware of the demands that vocational schools, in particular, make for the use of office packages. Therefore, there is also the interest to come together with Microsoft for a privacy-compliant solution. However, this is not up to HBDI or the other German supervisory authorities, but especially to Microsoft itself. As soon as the possible access of third parties to the data in the cloud as well as the topic of the telemetry data are reconciled and compliant with data protection, Office 365 can act as a cloud Solution can be used by schools. Until then, school can use other tools such as on-premise licenses on local systems."

Essentially, this statement is offering schools the option of Windows 7 and whatever stand-alone Office version they can purchase.

Further, the statement notes, "What is true for Microsoft is also true for the Google and Apple cloud solutions. The cloud solutions of these providers have so far not been transparent and comprehensibly set out. Therefore, it is also true that for schools, the privacy-compliant use is currently not possible." (grammar slightly edited for clarity).