Baden-Württemberg: State is testing Microsoft 365 in schools

In a pilot project in Baden-Württemberg, a specially adapted version of Microsoft 365 is to be tested in several schools. The use of the software in educational institutions is controversial. The state data protection officer Stefan Brink is accompanying the pilot project and wants to check whether the use of the online service is justifiable from a data protection perspective.

The test suite is an adapted version of Microsoft 365, with which the teachers, in addition to an e-mail service, are to be provided with an online office workstation including word processing, presentation and calculation programs and storage space in Microsoft's cloud. In addition, the video conferencing software is to be offered to teams during the several weeks of test operation.

The data flow to the provider (telemetry data) is significantly more data-efficient compared to the versions previously used in schools , emphasizes the state data protection officer . In addition, Microsoft complied with Brink's demands to improve the encryption of the data and reduce its own processing purposes. A significant strengthening of user rights against access by US security authorities, for example through legal protection guarantees and obligations to pay damages, has also been promised.

It remains to be seen whether an application is even possible

"We will check whether the promised deactivation of problematic processing has actually taken place and whether personal data is processed exclusively in Germany", announced Brink. The software package can only be used in compliance with data protection regulations under these conditions. Especially in school relationships, those responsible have a special duty of care: parents, teachers and students need to know which data is collected and how it is used.

In addition, it must be clarified whether a US provider is even an option. It is currently unclear how future data transfers from the EU to the USA will be legally possible, writes the data protection authority with a view to the Schrems II ruling of the European Court of Justice (ECJ) . However, this decision must be made at EU level. Whether there is currently a legal basis for the transfer of data to the USA is controversial.

Ultimately, the schools have to decide which platform they want to use, emphasizes Brink. "The Ministry of Culture should provide alternative communication options that comply with data protection regulations so that schools have a real choice." The country already operates one itself, which consists of the Big Blue Button web conference software, the Moodle learning management system and the Threema messenger. The state university network BelWü provides its own e-mail addresses.

"If you want to strengthen schools, you have to give them not only the technical equipment but also the opportunity to deal more intensively and specifically with the software solutions used and to make responsible decisions themselves," explains Brink. For example, there is an urgent need for an increase in the number of data protection officers in schools, and it is not uncommon for one person to be responsible for looking after 100 to 150 schools.

Criticism of Microsoft 365 from parenting

Just recently , a number of organizations from Baden-Württemberg , including the State Parents' Council, demanded that a learning platform must comply with the General Data Protection Regulation (GDPR). US companies like Microsoft, Google or Amazon are therefore out of the question. On the other hand, it is disputed within the federal and state data protection authorities whether Microsoft 365 can be operated in compliance with data protection regulations. Four state data protection authorities contradict a statement by the German Data Protection Conference (DSK) that excludes such a thing . The assessment is "too undifferentiated" .

However, there was also criticism of the open source software Big Blue Button, often advertised as an alternative , which had a number of security flaws . The Berlin data protection officer Maja Smoltczyk would therefore welcome a security audit and publicly financed further development.