Microsoft at schools: Open questions about data protection in Baden-Württemberg

A conversation between the Baden-Württemberg Ministry of Culture and the state data protection officer Stefan Brink with Microsoft and other parties involved in the planned digital education platform initially did not result in a breakthrough in terms of the use of specific software products.

There are still “open data protection issues,” admitted a spokeswoman for Education Minister Susanne Eisenmann (CDU) to heise online. These, as well as the technical and organizational measures developed by the department in the meantime, are “the content of the dialogue mentioned and thus the subject of the existing coordination and decision-making process”.

In principle, however, hold stuck to the goalto “introduce a data protection-compliant solution based on Microsoft Office 365”. In Baden-Württemberg, a teaching and learning environment on the Internet is to be created for around 24 million euros by 2021. For this purpose, Eisenmann has provided Microsoft products at least for “individual components”.

Auditors from PricewaterhouseCoopers (PWC) largely gave the Christian Democrat the green light in a “Data Protection Impact Assessment” (DPIA) from the beginning of April. They refer to the “data processing to be assessed … only risks of the middle category”. Corresponding processes and “in particular international traffic”, for example in the case of a cloud-based approach, were based “through the use of Microsoft as the contract data processor” on “sufficiently valid legal bases”, says the document available at heise online.

The experts recommend “essentially” to implement only “certain technical and organizational measures” in the form of “suitable remedial measures” and to develop a “usage regulation”.

Brink comes to completely different results in his test report from the DSFA dated July 3rd. The data protection officer refers to “structural defects in the product Microsoft Office 365”. In particular, the outflow of personal information to the US group for its own purposes could not be completely prevented. For such a transmission “no legal basis can be identified”. Principles of transparency, purpose limitation and data minimization could not be observed.

For the data protection officer, it seems questionable whether the Ministry of Education or the schools would be able to fulfill their accountability under the General Data Protection Regulation (GDPR) in the event that the product is used. Brink also complains about “serious shortcomings” in the analysis submitted by PWC. Above all, the “required comprehensive overview of all the data processing operations planned and offered to the teachers” is missing, and responsibilities are ultimately not clear.

Brink takes a critical view of the fact that it is not even clear which product forms the assessment refers to and which specific components should be used with which individual applications, services, components, configuration options and standard settings. Data outflows to Microsoft were not examined at all, although this was absolutely necessary.

The use of Office 365 by students was also not dealt with. The paper must therefore be revised “considerably”, and Microsoft must also resolve the overriding difficulties. The Ministry of Culture did not want to answer detailed questions about the massive challenges pointed out by Brink. The spokeswoman emphasized, however, that it had been agreed to continue the explorations “constructively in order to bring the data protection impact assessment, which was present in a first stage, up to a valid and coordinated basis for decision-making by the end of the month”.

After the Chaos Computer Club, the “Alliance for Humane Education” founded by university lecturers, scientists and committed citizens calls on Eisenmann to prevent a fatal wrong decision and to come to his senses. “There must be no danger that student data will leak into the USA,” criticizes Ralf Lankau from Allianz in one open letter. The US Cloud Act stipulates that US companies like Microsoft have to give out personal information, “no matter what server they are on”. US law is breaking EU law, the professor points out. The European Court of Justice (ECJ) has now confirmed this twice.

In the hands of US corporations, the data of European consumers could not be protected from access by national secret services such as the NSA. This leads to a “scandalous situation”, especially with particularly sensitive information about students. The letter ends with an appeal to the minister: “Make schools fit for the future by introducing the software of the 21st century with Linux and open source programs from European companies instead of relying on the IT monopolies of the 20th century. ”


To home page