MS 365 ban from German schools sparks implications for public sector organizations in the whole EU

Sara Ana Cemazar
December 13, 2022
min read

After a 2 year-long investigation, the German Government’s Data Protection Office (Datenschutzkonferenz or DSK) has concluded that Microsoft 365 is not GDPR compliant and banned its use in schools all over Germany. This news further confirms a Europe-wide trend of government-related institutions moving away from US-based tech providers.

The first concerns over Microsoft 365’s compliance with the EU’s ruling data privacy regulation arose a couple of years ago after the enactment of the US CLOUD Act. Following that, Microsoft made a special arrangement with Germany in 2019, hosting data on local servers. However, the German DSK’s decision after 2-year long consideration seems final. 

In a rebuttal statement, Microsoft 365 representatives “respectfully disagree” with DSK’s decision. The question looms: will the ban from schools inspire other government-related institutions to move away from Microsoft to other vendors that fit the DSK’s criteria?

Unpacking the ban: why did it happen?

As previously mentioned, the ban is an aftermath of a long-standing debate about the US CLOUD Act versus GDPR

The Clarifying Lawful Overseas Use of Data Act, or CLOUD Act, is a federal US law enacted in 2018. It concerns data stored or processed by communications service providers. According to the CLOUD Act, customer data can be stored outside the US, but the government has the right to demand it with the appropriate warrants.

Simply put — the US government can ask for access to business data from any US-based company and get non-US citizen data:

The Act expressly provides that U.S. law-enforcement orders may reach certain data located in other countries.

This created a direct breach of GDPR in the area of minors’ data protection — school pupils, in this case. Namely, under the GDPR, minors cannot consent to data collection, and if platforms store minors’ data, they should be able to request data purging.

In other words, US CLOUD Act directly conflicts with the EU’s GDPR. The DSK’s ruling is just a final confirmation that organizations using services like Microsoft Teams, whose servers are located in the US, risk GDPR breaches.

Further implications of the MS365 ban

The DSK’s ruling is another example of European countries' slow but certain move away from US-based software to local providers. In recent years, France has already banned MS Office and Google Workspace in schools and their ministries due to privacy concerns.

The Swedish government didn’t issue a ban per se, but it did urge all its public sector organizations to move to locally-hosted collaboration solutions to, quote, avoid “navigating a grey legal area to meet their needs.”

Germany is perceived as one of the leading EU members, not only when it comes to interpreting and applying international regulations. The ban of MS Office from schools will have long-term consequences on other member-states and their public sector.

Moreover, private organizations that operate in Europe and collect customer information should carefully watch how the situation unfolds. Privacy-conscious organizations will likely follow the DSK’s lead and look for GDPR-compliant alternatives to MS 365.

The alternative? Locally-hosted, GDPR-compliant software

Public and private organizations in Germany, but also in the entire EU will have to find new ways to comply with GDPR. Avoiding storing customer information on cloud-based servers from US technology providers will become more challenging. To stay compliant, many will choose on-premise software and EU-hosted cloud solutions

We already notice European public and private sector organizations looking for locally hosted alternatives to US cloud-based solutions. Considering European Commission’s Open Source Strategy, open-source software could have an advantage among privacy-conscious organizations seeking to replace MS 365.

For us at Rocket.Chat, the DSK decision wasn’t surprising. We’ve been involved in conversations on data privacy and GDPR compliance with public sector organizations throughout the EU. Organizations such as the City of Cologne have been using Rocket.Chat for secure collaboration of its employees across different city subsidiaries.

We’ve also partnered with Pexip, a leader in secure video conferencing, to fortify our offer for secure digital collaboration to EU-based organizations. Our integration with Nextcloud also extends the use of Rocket.Chat. With Matrix federation capabilities, Rocket.Chat strongly supports interoperability in privacy-minded environments.

If you are looking for a secure, interoperable, and on-premise hosted communications platform, reach out to us at Rocket.Chat.

Get started with Rocket.Chat’s secure collaboration platform

Talk to sales

Frequently asked questions about <anything>

Sara is an SEO Strategist at Rocket.Chat. She is passionate about topics around digital transformation, workplace experience, open source, and data privacy and security.
Sara Ana Cemazar
Related Article:
Team collaboration: 5 reasons to improve it and 6 ways to master it
Want to collaborate securely with your team?
Deploy Rocket.Chat on-premise or in the cloud and keep your conversations private.
  • Digital sovereignty
  • Federation capabilities
  • Scalable and white-labeled
Talk to sales
Looking for a HIPAA-ready communications platform?
Enable patients and healthcare providers to securely communicate without exposing their data.
  • Highly scalable and secure
  • Full patient conversation history
  • HIPAA-ready
Talk to sales
The #1 communications platform for government
Deploy Rocket.Chat on-premise, in the cloud, or air-gapped environment.
  • Secure data governance and digital sovereignty
  • Trusted by State, Local, and Federal agencies across the world
  • Matrix federation capabilities for cross-agency communication
Talk to sales
Want to customize Rocket.Chat according to your own preferences?
See behind the engine and change the code how you see fit.
  • Open source code
  • Highly secure and scalable
  • Unmatched flexibility
Talk to sales
Looking for a secure collaboration platform?
Keep your conversations private while enjoying a seamless collaboration experience with Rocket.Chat.
  • End-to-end encryption
  • Cloud or on-prem deployment
  • Supports compliance with HIPAA, GDPR, FINRA, and more
Talk to sales
Want to build a highly secure in-app chat experience?
Use Rocket.Chat’s APIs, frameworks, and managed backend to build a secure in-app or live chat experience for your customers.
  • Supports compliance with HIPAA, GDPR, FINRA, and more
  • Highly secure and flexible
  • On-prem or cloud deployment
Talk to sales

Our best content, once a week

Share this on:

Get your free, personalized demo now!

Build the most secure chat experience for your team or customers

Book demo