The heart of the issue concerns the telemetry information sent by Windows 10 operating system and the company’s cloud solution back to the US.
This information can include anything from regular software diagnostic data to user content from Office applications, such as email subject lines and sentences from documents where the company’s translation or spellchecker tools were used.
Collection of such information is a violation of GDPR laws that came into effect last May.
While Microsoft previously provided a version of these applications that stored such information in a German data center, the ruling noted that Microsoft shut down the location as of August 2018 — meaning, the telemetry data was once again being transmitted to US data centers, potentially giving US officials the rights to access it.
Pointing out that the use of cloud applications in itself is not the problem as long as pupils’ consent and the security of the data processing is guaranteed, HBDI’s Michael Ronellenfitsch raised concerns about whether schools can store personal data of children in the cloud.
But since school children cannot provide consent by themselves, the data processing is illegal under GDPR law.
“Public institutions in Germany have a special responsibility regarding the admissibility and traceability of the processing of personal data,” Ronellenfitsch said.
European concerns about data transmitted to the US are not new. In a bid to control its digital sovereignty, France launched its own secure government-only chat app called Tchap earlier this April to prevent officials from using WhatsApp. Even India is said to be exploring something along similar lines.
Ronellenfitsch said the ruling applied to Google and Apple, stating their cloud solutions haven’t been fully transparent either.