Windows 10 and Office 365 banned from use in German schools

Following growing concerns over data sovereignty and privacy, Germany’s Hesse Commissioner for Data Protection and Freedom of Information (HBDI) has made it illegal for schools to use cloud-based software from Microsoft, Google and Apple.

As reported by Expert Reviews, this decision highlights the growing significance of data sovereignty as a data security and privacy issue:

EXTRACT:
“A review conducted by the Hesse Commissioner for Data Protection and Freedom of Information (HBDI) concluded that Microsoft Office 365 and Windows 10 are not suitable for use within the German state’s schools. A principal concern is that Microsoft stores its data in a European cloud which is penetrable by the US authorities”.

According to the official statement from HBDI, it is now illegal to use Microsoft Office 365 in schools in the state of Hesse, Germany. Under data protection law, public institutions in Germany have a “special responsibility” to protect personal data; particularly with regards to access, admissibility and traceability through third parties.

Microsoft had previously been made available to schools under a “data trustee model” provided by Deutsche Telekom via a private Cloud, which prevented data from passing through the public internet. However, Microsoft withdrew from this arrangement last year and thus removed the approved safeguard, meaning that schools’ data, and crucially data concerning children, was potentially accessible to US authorities. This led HBDI to review its use in schools.

HBDI was also concerned that Microsoft Windows 10 was gathering substantial amounts of telemetry data but refused to disclose what data was being collected or how it would be used. Google Docs and Apple’s iWork privacy policies are also deemed inadequate and lacking transparency by HBDI, so their use in schools has also been banned.

Senetas Opinion

While the German HBDI ruling covers the storage of data in schools, it’s worth remembering that these issues could apply to confidential data stored by organisations in any sector. While Microsoft stores its European data in a European Cloud, its accessibility to US authorities is clearly of concern. However, this is not unusual. The situation is the same across many of the leading Cloud services that are commonly used by organisations across the UK and Europe.

It’s also important to note that several of the most well-known Cloud SaaS products have suffered notable security breaches; leaving users vulnerable to identity theft and cybercrime. For many organisations including financial institutions, government agencies, professional services organisations, telecommunications service providers and major commercial businesses, such vulnerability to cybercrime could be devastating to business continuity and incur severe legal penalties.

Where Cloud and SaaS services are provided by multi-national organisations across the globe, customers are becoming increasingly concerned about where in the world their data is stored. “Where will our data be stored? Can we be certain that our data is only stored in our company’s sovereign state?” The answers may determine service provider selection.

So, is it possible to guarantee security and 100% control of data sovereignty while using a Cloud service to store your data? At Senetas, we believe it can be achieved if organisations adopt robust InfoSec processes and choose the right technologies. File-sharing, for example, should leverage end-to-end encryption security to ensure data privacy.

Secondly, organisations can safeguard regulatory compliance and address their own data sovereignty concerns and policies by using Cloud services that offer 100% data location control. This means data is only stored according to the data regulations or organisational policy applicable to users in your region.

For more information on secure file sharing, visit www.SureDrop.com

You might also be interested in: Uncovering the flaws in email security