Go to ...

RSS Feed

Microsoft, Europe and GDPR


Back in 2015, Microsoft in a joint operation with German Telecom launched Microsoft Cloud Deutschland (MCD) to keep data belonging to German residents in Germany, protected by local privacy laws. This satisfied local regulators, who announced that because the data of German residents will remain in Germany, it would be safe to use Microsoft products and services in state and federal institutions.

Only three years later, in early 2018 however, MCD was shut down (read more), Microsoft lost over 100 million Euros on this failed project. Since then, German lawmakers have been worried about data being stored in the USA, where, according to German authorities, various intelligence agencies might get access to information belonging to German residents.

Germany has very strict privacy laws, and now one of 16 German states (Länder) has decided those laws are not enough. Consequently, the State of Hesse has told all schools, that from now on, use of Microsoft Office 365 is forbidden (press release in German). The decision form the state’s data protection authority is based on concerns that personal data and information of faculty and students could possibly be accessed by US officials and intelligence agencies. For students, an added concern is that their consent was neither requested nor granted.

This follows a report from the Dutch government late last year about Microsoft Office telemetry being out of compliance with GDPR requirements (General Data Protection Regulation), European Union directive 95/46/EC (Wikipedia). They claim that the way telemetry is collected clearly violates user privacy.

Microsoft is not alone in its misbehavior. Austrian privacy advocate Max Schrems has been fighting against companies like Google and Facebook, saying the companies clearly violate GDPR by storing European user data in USA. He has even founded a non-profit to assist people who want to take their cases to court.

How this will end, nobody knows. Privacy protection and regulation is of course only positive, but how far will it go? Which of the global major players will be the test case,  the first one to get a multi million – even billion – fine for breaking the GDPR?

In my opinion, GDPR is good when it’s not overdone. I can understand European authorities not wanting for instance their citizen’s passport applications being stored in USA, but at the same time I have hard to think what use NSA could make of some teenager’s paper about renaissance artists? Naturally I understand that this is quite a black and white situation, we here in Europe cannot select which personal data we allow to be stored outside EU, and which not. GDPR is to protect our privacy, every aspect of it.

Anyway, a state forbidding schools to use Microsoft Office because of privacy concerns, that’s gone too far. IMO anway. We’ll soon see what the courts think, I imagine . . .

Kari

Author: Kari Finn

A former Windows Insider MVP, Kari started in computing in the mid 80’s writing code for VAX / VMS systems. Since then, he’s worked in a variety of IT positions. He specializes in Windows image capture, customization, repair and deployment as well as Hyper-V virtualization. Kari is a proud Team Member at number #1 Windows site TenForums.com.

Leave a Reply