After a 2 year-long investigation, the German Government’s Data Protection Office (Datenschutzkonferenz or DSK) has concluded that Microsoft 365 is not GDPR compliant and banned its use in schools all over Germany. This news further confirms a Europe-wide trend of government-related institutions moving away from US-based tech providers.
The first concerns over Microsoft 365’s compliance with the EU’s ruling data privacy regulation arose a couple of years ago after the enactment of the US CLOUD Act. Following that, Microsoft made a special arrangement with Germany in 2019, hosting data on local servers. However, the German DSK’s decision after 2-year long consideration seems final.
In a rebuttal statement, Microsoft 365 representatives “respectfully disagree” with DSK’s decision. The question looms: will the ban from schools inspire other government-related institutions to move away from Microsoft to other vendors that fit the DSK’s criteria?
Unpacking the ban: why did it happen?
As previously mentioned, the ban is an aftermath of a long-standing debate about the US CLOUD Act versus GDPR.
The Clarifying Lawful Overseas Use of Data Act, or CLOUD Act, is a federal US law enacted in 2018. It concerns data stored or processed by communications service providers. According to the CLOUD Act, customer data can be stored outside the US, but the government has the right to demand it with the appropriate warrants.
Simply put — the US government can ask for access to business data from any US-based company and get non-US citizen data:
The Act expressly provides that U.S. law-enforcement orders may reach certain data located in other countries.
This created a direct breach of GDPR in the area of minors’ data protection — school pupils, in this case. Namely, under the GDPR, minors cannot consent to data collection, and if platforms store minors’ data, they should be able to request data purging.
In other words, US CLOUD Act directly conflicts with the EU’s GDPR. The DSK’s ruling is just a final confirmation that organizations using services like Microsoft Teams, whose servers are located in the US, risk GDPR breaches.
Further implications of the MS365 ban
The DSK’s ruling is another example of European countries' slow but certain move away from US-based software to local providers. In recent years, France has already banned MS Office and Google Workspace in schools and their ministries due to privacy concerns.
The Swedish government didn’t issue a ban per se, but it did urge all its public sector organizations to move to locally-hosted collaboration solutions to, quote, avoid “navigating a grey legal area to meet their needs.”
Germany is perceived as one of the leading EU members, not only when it comes to interpreting and applying international regulations. The ban of MS Office from schools will have long-term consequences on other member-states and their public sector.
Moreover, private organizations that operate in Europe and collect customer information should carefully watch how the situation unfolds. Privacy-conscious organizations will likely follow the DSK’s lead and look for GDPR-compliant alternatives to MS 365.
The alternative? Locally-hosted, GDPR-compliant software
Public and private organizations in Germany, but also in the entire EU will have to find new ways to comply with GDPR. Avoiding storing customer information on cloud-based servers from US technology providers will become more challenging. To stay compliant, many will choose on-premise software and EU-hosted cloud solutions.
We already notice European public and private sector organizations looking for locally hosted alternatives to US cloud-based solutions. Considering European Commission’s Open Source Strategy, open-source software could have an advantage among privacy-conscious organizations seeking to replace MS 365.
For us at Rocket.Chat, the DSK decision wasn’t surprising. We’ve been involved in conversations on data privacy and GDPR compliance with public sector organizations throughout the EU. Organizations such as the City of Cologne have been using Rocket.Chat for secure collaboration of its employees across different city subsidiaries.
We’ve also partnered with Pexip, a leader in secure video conferencing, to fortify our offer for secure digital collaboration to EU-based organizations. Our integration with Nextcloud also extends the use of Rocket.Chat. With Matrix federation capabilities, Rocket.Chat strongly supports interoperability in privacy-minded environments.
If you are looking for a secure, interoperable, and on-premise hosted communications platform, reach out to us at Rocket.Chat.