back to article Microsoft 365 faces more GDPR headwinds as Germany bans it in schools

Germany's federal and state data protection authorities (DSK) have raised concerns about the compatibility of Microsoft 365 with data protection laws in Germany and the wider European Union. According to the German watchdog's report [PDF], which was written after two years of negotiations with Microsoft, the body says that the …

  1. Charlie Clark Silver badge

    This regulator's no good, I'll get myself another

    Microsoft 365 products meet the highest industry standards for the protection of privacy and data security. We respectfully disagree with the concerns raised by the Datenschutzkonferenz and have already implemented many suggested changes to our data protection terms.

    Going against the decisions of the DSK is like making up your own laws. If they want to take this to court and lose they can, but, really they should be liable for misrepresentation and possibly even defamation with this kind of statement.

    1. SloppyJesse

      Re: This regulator's no good, I'll get myself another

      MS: "[we] have already implemented many suggested changes to our data protection terms."

      That may well be the case, but you've not actually changed what you are doing with the data.

      1. EVP

        Re: This regulator's no good, I'll get myself another

        can continue to use M365 products without hesitation and in a legally secure manner.

        Legally secure meaning that they’re confident that it’s leagally safe for M$ and they’ll contiue to shaft you whenever they can.

        1. Charlie Clark Silver badge

          Re: This regulator's no good, I'll get myself another

          Words are wind: as long as they won't indemnify their customers against potential losses, it's not worth listening to them.

      2. NoneSuch Silver badge
        Mushroom

        Re: This regulator's no good, I'll get myself another

        "Microsoft 365 products meet the highest industry standards for the protection of privacy and data security."

        Guess who wrote those 'standards.' You know damned well they are not following processes by Adobe or Cisco.

        Good on the EU. They seem to be the only bastion of sanity and common sense left globally.

      3. Potemkine! Silver badge

        Re: This regulator's no good, I'll get myself another

        It isn't only about MS. A big problem is because of the CLOUD act. So unless the US repels this or a new company not subjected to it manages the European data, there's no solution for MS, they will never be able to comply to GDPR. All the BS they say is just PR, so less worth than shit.

        == Bring us Dabbsy back! ==

        1. Johnb89

          Re: This regulator's no good, I'll get myself another

          Exactly that... it isn't Microsoft's 'fault', its that they are a US company, subject to US law. No matter what they do under current US law they breach GDPR. So does every other US-registered company. US-based companies? Companies that operate at all in the US? Don't know.

          There might be one or two other US companies having the same flaw in their ability to do GDPR compatible business. Well done Mr. Schrems!

          Not that we should feel sorry for M$, but their weasel words give it away... they can't squeal against US law lest they lose their big contracts there.

    2. Someone Else Silver badge

      Re: This regulator's no good, I'll get myself another

      When asked for further comment, a Microsoft spokesperson said: "Microsoft 365 products meet the highest industry standards for the protection of privacy and data security. We respectfully disagree with the concerns raised by the Datenschutzkonferenz and have already implemented many suggested changes to our data protection terms. [emphasis added] "

      As duly noted by the DSK, changing the terms and changing the actual practices are two separate things.

    3. Gordon 10

      Re: This regulator's no good, I'll get myself another

      Im going to be the contrarian for this one. Whilst not denying the possibilities of DSK being right the Germans in particular are known far and wide for exceptionally aggressive interpretations of the various GDPR purposes in a way that exceeds that of other member states. (Case in point a restriction on the use of numberplate for reporting illegal parking recently got struck down - it shouldn't have need to have been.)

      I'd like to know wether this is all in the realms of legal theory or whether M365 in a European Azure region actually makes any transfer of personal data to the US. Additionally AFAIK there has been no successful transfer of data under the CLOUD act or FISA from an MS European facility to a US one or onward to the Feds.

      Soo... colour me unconvinced and cautiously neutral of M$ in this instance without more background.

      1. I could be a dog really Bronze badge

        Re: This regulator's no good, I'll get myself another

        Clearly things may have changed since this article, but it would appear that in Apr 2018 Microsoft in the USA were able to access data held on servers located in Ireland. Now given that even back then they were (IIRC) claiming that data held in the EU was "safe" from non-EU access, IMO it's down to MS to demonstrate how they have changed such that they can't repeat such an action. AFAIK they have not done so, and also IMO, this means that no business in the EU (or the UK as we still have the same data protection laws) can legally use O365 as they cannot guarantee the safety of personal information.

        I would add that when you sign into O365, AFAIK much of the infrastructure is shared with and controlled by the US parent company - thus meaning the parent company has the ability to send your authentication processing anywhere it feels like - which means it would be fairly easy to redirect you via the USA and harvest your details in the process. I stand to be corrected on this ...

        1. Anonymous Coward
          Anonymous Coward

          Re: This regulator's no good, I'll get myself another

          It has changed since then, though of course I don't know if it's GDPR compliant now.

          Back then the way they provided data resilience was to back up on a primary, secondary and a 3rd region. That was before MS had 3 regions in the EU so the 3rd always went to the US and a US court could subpeona the backup.

          I'd be interested in where Azure AD credentials are maintained. I'm not entirely happy with AWS answers for IAM.

  2. Anonymous Coward
    Anonymous Coward

    Oh, I'd love it if they took this to court. I have a few things for an amicus brief..

    1. Anonymous Coward
      Anonymous Coward

      > an amicus brief

      No such thing in Germany.

      1. Anonymous Coward
        Anonymous Coward

        The problem is that going public isn't enough - that allows it to be buried. If it's part of a court case it becomes a formal part of record.

        Oh well, maybe time to brief the European Commission..

      2. Anonymous Coward
        Anonymous Coward

        Just approach the judge with your evidence.

  3. Anonymous Coward
    Anonymous Coward

    Office - open or closed?

    Microsoft 365 is closed for business if you aren't connected to the internet, as I discovered the other day in a small WFH WiFi contretemps. Perhaps Open Office or Libre Office would be better value if you actually want to get on with work rather than fulfilling someone else's telemetry targets.

    1. 43300 Silver badge

      Re: Office - open or closed?

      I'v been having a look at Softmaker Office recently - that one's not free, but it is fairly cheap and doesn't require a subscription (although they do offer a subscription option). It has the advantage / disadvantage (depending how you look at it) of having a ribbon layout for the menus.

      1. TVU

        Re: Office - open or closed?

        I bought Softmaker Office and I use it with the free online version of MS Office to get very good Microsoft compatibility and no one can tell that I am not using Microsoft's paid-for products.

      2. Henry Wertz 1 Gold badge

        Re: Office - open or closed?

        One minor warning with Softmaker Office, my dad went to open some very large document (190 pages with TONS of charts) and it was EXTRAORDINARILY slow to open it, like 10 minutes slow. Libreoffice opened it in about 15-20 seconds. That said, Softmaker is quite nice and I do encourage taking a look at it.

        1. Anonymous Coward
          Anonymous Coward

          Re: Office - open or closed?

          if you want really fast, try LibreOffice on a Mac with an M1 or later chip. I have no idea what they did, but it's about the fastest opening bit of software on my machine. Not that I set out to notice this but it's simply hard to ignore just how fast it is onscreen, ready to work.

          It makes opening especially Microsoft Word at the office even more excruciating, though - now I know other software that can do the job to be so dramatically faster it irritates me even more that Word takes a while to wake up, even though the machine it's on it not too shabby (Lenovo P1).

          Yes, LO has a lot going for it.

        2. Roland6 Silver badge

          Re: Office - open or closed?

          I've noticed similar very slow behaviour with MS Edge (Chromium) PDF viewer -

          I clicked on a link in another ElReg article

          https://web.eecs.umich.edu/~weimerw/2018-481/readings/mythical-man-month.pdf

          Edge is very slow in both online and offline reading modes, Chrome is only slightly better. Load the same document with Acrobat or FoxIt...

    2. Snake Silver badge

      Re: Office - open or closed?

      Sadly, as I've discussed before (as a LO user myself), is the issue that even the most up-to-date version of LO can not open the most recent version of MS Office documents (contrary to The Document Foundation's claims).

      So yes, LO if you can but, if your office insists on MS interoperability, then even the most recent version of LO won't cut it.

      1. MrDamage

        Re: Office - open or closed?

        >> If your office insists on interoperability, then even the most recent version of 365 won't cut it.

        FTFY

      2. Anonymous Coward
        Anonymous Coward

        Re: Office - open or closed?

        How on earth did THAT happen?

      3. Anonymous Coward
        Anonymous Coward

        Re: Office - open or closed?

        That's weird, I have as yet not had a problem for two decades that I've been using it and its predecessors (make that three decades or so if you incorporate the Star Office for OS/2 I once paid for). What sort of documents do you create then? Have you tried saving them in the only official EU standard format, ODF, and if so, what happened?

        We've switched to ODF as internal standard now. Easier for interoperability. You'd probably use MS formats if you're the kind of MS-only house that Microsoft wants you to be, but we run quite a mix (deliberately, btw, it's not an accident) and then ODF just made more sense.

        I'd really love to get my hands on a Word document that "doesn't work" so I can see where the problem is - it's not my experience that an import of an inferior format fails.

        1. Snake Silver badge

          Re: Word documents that don't work

          https://forums.theregister.com/forum/all/2022/08/19/libreoffice_7_4/#c_4517657

          Why don't you all go to Indeed.com and have a discussion with THEM on why their MS .DOCX documents won't open in LO??

          1. Anonymous Coward
            Anonymous Coward

            Re: Word documents that don't work

            So wait, it wasn't even your own document? You're just repeating one story in a forum from three months ago?

            Wow.

        2. Charlie Clark Silver badge

          Re: Office - open or closed?

          I can only really speak about the spreadsheet part, but LO has some long-standing bugs when working with OOXML and occasionally manages to introduce new ones in things that should have been frozen years ago.

          I agree that ODF is the better format but that doesn't excuse some of the sloppy programming and lack of QA that LO has, unfortunately, been guilty of.

      4. eldakka

        Re: Office - open or closed?

        > So yes, LO if you can but, if your office insists on MS interoperability, then even the most recent version of LO won't cut it.

        Go back to the originator of the document and tell them to save it in the industry standard open ODF format, rather than the MS proprietary formats.

        1. Snake Silver badge

          Re: Office - open or closed?

          "Go back to the originator of the document and tell them to save it in the industry standard open ODF format, rather than the MS

          No problem. I'll just go right back to Indeed.com and tell them that

          https://forums.theregister.com/forum/all/2022/08/19/libreoffice_7_4/#c_4517657

          I'm sure they'll go right ahead and care about my comment.

          Not.

          1. eldakka

            Re: Office - open or closed?

            > No problem. I'll just go right back to Indeed.com and tell them that

            That's just a stupid comment.

            Indeed.com seems to be a jobs website that requires a potential employer to sign up to and list an available job on. Then when an applicant applies for the job through indeed.com, it supplies to the employer the job application - apparently based on your comment in a MS proprietary format.

            Therefore it's simple, as an 'advertiser' on the platform, you tell them to offer ODF as an option for receiving applications in, or you just leave the platform. Indeed.com isn't a monopoly, it doesn't provide a unique service that no-one else offers. Just don't use them, problem solved.

      5. Anonymous Coward
        Anonymous Coward

        Re: Office - open or closed?

        > the issue that even the most up-to-date version of LO can not open the most recent version of MS Office documents

        Don't use proprietary document formats then. It's a daft idea, especially when there are perfectly adequate open formats that do the same job.

        I'm seeing less and less of it, mind. Except for CAD drawings where DWG is still king, sadly.

        1. Roland6 Silver badge

          Re: Office - open or closed?

          >Don't use proprietary document formats then.

          The trouble is the way MS Office works.

          For example with Office 2019, I can create a default install profile which sets open document formats as the default save format. However, Word for example will still on saving a document warn the user that some features aren't supported and would they prefer to use the proprietary format...

          I think many would prefer Office to disable/grey out functionality not supported by the user-set default document format.

          1. that one in the corner Silver badge

            Re: Office - open or closed?

            > I think many would prefer Office to disable/grey out functionality not supported by the user-set default document format

            In my experience (which admittedly ignores some features, for the sake of a simple life) that *is* what Office is doing.

            In other words, *all* of the features you've used *are* supported when e.g. saving an ODF file and the message is just there to give your FUD a boost.

            Having said that, sometimes it is necessary to generate an obviously less than capable format, such as RTF, to feed a particular process. In those cases it would be good if *all* of the wordprocessors would grey out the unsaveable options. That would save arguments and mean one doesn't need to beat writers into using WordPad (!) instead of their beloved wordprocessor.

            1. Anonymous Coward
              Anonymous Coward

              Re: Office - open or closed?

              In other words, *all* of the features you've used *are* supported when e.g. saving an ODF file and the message is just there to give your FUD a boost.

              Amusingly, the LO team implemented a similar message if you try to save in an inferior (i.e. proprietary) format. It made me laugh when I first saw it, very entertaining. Also very true with respect to previous versions. An ODF doc will rarely render improperly* because it IS actually a (fully documented) open standard, and OpenOffice/LibreOffice are pretty much its proving ground.

              MS Office rendering isn't even consistent between the same release on different platforms..

              * Tiny caveat: it's always best to have the document incorporate the fonts used to create it, just to prevent a font replacement on the receiving end.

          2. Anonymous Coward
            Anonymous Coward

            Re: Office - open or closed?

            > Word for example will still on saving a document warn the user that some features aren't supported

            I bet you it doesn't say "some features are not supported" but something along the lines of "some features may not be supported".

            That's because, as pointed out by someone else, that's a well-known FUD marketing tactic with very little to no technical basis.

        2. Charlie Clark Silver badge
          FAIL

          Re: Office - open or closed?

          OOXML is not proprietary,

          1. F. Frederick Skitty Silver badge

            Re: Office - open or closed?

            As implemented in Microsoft products, it is proprietary since they use undocumented extensions and even the core is not fully compliant with the ISO standard. Unless you're being deliberately trollish, I suggest going back and reading about the very controversial standardisation process for OOXML. It does not meet the criteria for a proper standard, with too many areas left undocumented, and the whole process reeked of corruption.

            1. I could be a dog really Bronze badge

              Re: Office - open or closed?

              Not only that, but there is no test suite or any other means of determining compatibility with OOXML.

              I say that because as written, it is not implementable ! I jest not, the standard includes bits like a blob whose sole definition is something along the lines of "Word 95 format" - which is a proprietary and undocumented format. Therefore the standard is not implementable as written.

              But that doesn't matter one jot. Because it is a standard, obtained by "questionable means", MS can tick the box on an ever increasing number of procurement specifications labelled "standards compliant".

              It's tempting to do a FOI question to government bodies asking what verification they have made that the products they use are actually compliant - I suspect the answer will be either "nothing at all", or "we took MS's word for it", if they answer at all.

              1. Charlie Clark Silver badge
                Stop

                Re: Office - open or closed?

                The OOXML Productivity Suite includes a validator. It's not perfect and missing from more recent versions of the SDK.

                Having implemented part of the specification in Python, I'd disagree with most of your assertions, though there are lots of quirks and problems. I also know someone from the ISO WG who says that, while ODF is probably the better format, it's even more neglected than OOXML.

                1. I could be a dog really Bronze badge

                  Re: Office - open or closed?

                  So the only validator is a) part of the vendor's SDK and so not independent, and b) "not perfect". So that would equate to there being no independent validator available.

                  As to the other part, have you implemented any of the "do like proprietary and undocumented file format" bits ?

                  Could "neglected" equate to an element of "doesn't need work as it was done right in the first place" ?

            2. Charlie Clark Silver badge
              Stop

              Re: Office - open or closed?

              I acutally implement software according to the spec and engage in discussions with the ISO working group. I'm not going to defend the specification but it is there and it can be worked with and Microsoft still engages sufficient resources to continue working on it.

              The extensions are all documented. More difficult, I find, is implicit behaviour and inconsistencies. I'm currently wading throug pivot tables and this is a bit of nightmare.

      6. Zippy´s Sausage Factory
        Devil

        Re: Office - open or closed?

        The controller of the most recent version of MS Office documents is Microsoft. There's supposed to be an open standard that they use... but they play fast and loose with words and carry on doing whatever they want to try and destroy the competition. As usual.

        1. Strahd Ivarius Silver badge
          Joke

          Re: Office - open or closed?

          They had a nice Word document explaining how they followed the standard, with images and all.

          And then an intern decided to move one image, and chaos ensued

        2. Charlie Clark Silver badge

          Re: Office - open or closed?

          Acutally ISO SC34 WG4 is responsible for the standard.

    3. ecofeco Silver badge

      Re: Office - open or closed?

      Microsoft 365 is closed for business if you aren't connected to the internet,

      I thought everyone knew this. It's the biggest reason it sucks. As with all things that require cloud connection to work, it defeats the very purpose of a PC: freedom.

      1. Anonymous Coward
        Anonymous Coward

        Re: Office - open or closed?

        The very purpose of a PC is to run software. Its purpose is not AFAIK "freedom", or maybe that was stated in the pile of paper that comes with a new machine and which is the first to end up in recycling..

        1. Fred Daggy Silver badge
          Devil

          Re: Office - open or closed?

          Sadly, lots (most? all?) choices we make have moral or ethical implications. Now, I am not implying that Microsoft employ slave child labour in sweatshop conditions, coding for 16 hours a day. (They have adults for that). But, consider who owns the software or device you are using.

          Who are they owned by? Are they ethical? A dictatorial regime? Support decent treatment regardless of creed or colour?

          Regrettably, once you open up this can of worms, the genie is out of the bottle and you can disappear down a real rabbit warren.

        2. that one in the corner Silver badge

          Re: Office - open or closed?

          > that was stated in the pile of paper that comes with a new machine and which is the first to end up in recycling

          What you are promised in that pile of paper never seems to be fulfilled.

          Still waiting for the golden sun-kissed beach and golden sun-kissed lady[1] that the EeePC promised. Even sent in the little card with name and address and everything.

          Now I'm starting to doubt that they'll be shipping the crowd of adoring rock fans with the MIDI extension cable.

          [1] For the sake of inclusion, I'd put a note here that other models are available, but then that'd just be even more people disappointed at the lack of delivery.

    4. Lee D Silver badge

      Re: Office - open or closed?

      I have to say that if I ever set up my own small business again, I'll be going NextCloud and their cloudy office (is it Collabra?) on a bunch of my own dedicated servers.

      I can't see anything that I have done professionally using Google Workspace or Office 365 that I couldn't do in some way with the same kind of setup, and in a more integrated way, entirely under my own control.

      In fact, I'm often amazed when I look through the plugins for NextCloud at just what it can do - OpenStreetMap equivalents of Google Maps, Asterisk SIP integration, etc.

      I understand the need for a large commercial backer for big companies, but for anything I'm ultimately responsible for, I'd be going NextCloud etc.

      I've managed Windows networks for 20+ years and if I was running the company I wouldn't use Windows either nowadays. MS don't care what you want any more, you get what you're given. For 10 of those years, I was self-employed and used Linux, OpenOffice (now LibreOffice), other OS equivalents etc. as my primary desktop both in work and at home.

      NextCloud installs are - as far as I'm concerned - the Google Docs / Google Drive / etc. without the "Google" factor. Hell, it does a pretty good job of just being a media center / "YouTube" by throwing MP3's and MP4's into it, even auto-converting them and pulling metadata and media info, and that's a long way outside its intended usage.

      1. Roland6 Silver badge

        Re: Office - open or closed?

        >NextCloud/Collabora Online/Office

        Shame it doesn't include an Outlook replacement. I appreciate there are open source mail clients et al but as a replacement for MS Office they do need to cover Outlook, both directly (ie. mail and PIM) and cross app integration.

        What email client (and server) are you proposing to use with Nextcloud et al

        1. Lee D Silver badge

          Re: Office - open or closed?

          I wouldn't. I hate Outlook with a vengeance and think it does two things terribly - calendar management and email management. Bit of a drawback for the product, from that point of view.

          Webmail and calendaring clients of all kinds exist, it's just a matter of finding the combination you like - and you can even use their Outlook plugin if you're that desperate.

          My default NextCloud (latest stable) has groupware already installed, and the default NextCloud Calendar and Mail plugins are right there in one click and integrate together.

          1. Roland6 Silver badge

            Re: Office - open or closed?

            My reading of the Nextcloud groupware pitch is that it is browser-based ie. online only - hence of zero use to mobile workers, who aren't always online.

            Personally, if there isn't an "offline" client I stop looking, but then I have spent my life in the real world of mobile working...

            As for Outlook, the issue is covering the email client and PIM functionality along with the integrations with Zoom, Office etc. and add-ons like Egress Switch.

            Which email server did you go with?

      2. that one in the corner Silver badge

        NextCloud suggestions

        Got NextCloud installed at home and shared calendars & contacts working with our phones & tablets - so far, so good.

        Having done that, it'd seem to make sense to get a few other useful plugins to leverage the resource investment in the installation (!) but in all honesty I look at articles extolling the virtues of one thing or another and am left confused: most seem to just say "Plugin X is a workable replacement for Other Company's Y", whilst the site for Y mostly tells me it'll "fit in with my lifestyle", whatever that means.

        Ok, file sharing we understand the concept of, but, um, it is running on the same home server, we can see all the files already. We rarely collaborate on processing words (different interests). Well, it does have bookmarks to to out svn and BugZilla home pages with icons, which is a nice reminder.

        So, serious question: any suggestions for NextCloud features that are worth a look at for a small household setup?

      3. BOFH in Training

        Re: Office - open or closed?

        I was thinking of just using the Synology version of Office tools if I was looking for a cloud based office.

        Since it runs from my NAS, everything is stored in my own device which only I have control over.

        Especially when it's on a 1gbps connection to the net, it should be fairly fast, if I decide to try that out.

        I assume it will not have the latest and greatest features that MS is pushing, but I suspect it will work for general uses.

  4. Filippo Silver badge

    What about Google's stuff?

    At least around here, Google's various online tools are widely employed in schools, usually with little regards for where the data ends up. Are they any better? Somehow I doubt it.

    1. ecofeco Silver badge

      Re: What about Google's stuff?

      Then they should investigate Google as well, shouldn't they.

    2. Lee D Silver badge

      Re: What about Google's stuff?

      Not true.

      Google were the first out of the door with a full GDPR compliance statement, updated regularly and for Google For Education, you can select your data storage location very simply. As far as I know, there's nothing that they do wrong there, and they beat MS to it by years, and yet Apple (iCloud) etc. STILL are not GDPR compliant and have no intention to be.

      If you're worried about schools, worry about Apple and its blatant disregard for all GDPR and data protection. They literally won't issue a GDPR compliance statement. Google did so years in advance of the laws in the UK, to a level of detail and assurance that made it a no-brainer to continue using them.

      Google also offer Google for Government - which operates entirely on isolated government servers in government datacentres. They know how to do it. MS I suspect haven't fully joined the dots between their "office.com" domains and data transfer, but UK schools using Google have explicit assurances that it's entirely within the UK and never ever leaves the UK. Apple... they don't even respond when you ask. I chased them for 5 years, nothing. And, no, there was no "GDPR statement" on their website... just a thing that says they strive to comply.

      There's a reason - iCloud is nothing more than randomly geolocated AWS, Azure, etc. instances. They buy the cheapest locations from their competitors (who do things properly), then pass it off to you as "Apple iCloud" but can't even be bothered to separate it by region and pass on those same assurances they are given themselves.

      1. Anonymous Coward
        Anonymous Coward

        Re: What about Google's stuff?

        Utter bollox, Google are an American company subject to American laws including access to data held by the company for national security reasons.

        1. Strahd Ivarius Silver badge

          Re: What about Google's stuff?

          Excatly.

          Up to the moment Google & al. move their headquarter outside the USA and its territories, they are under the obligation to conform to US laws allowing full access to US entities (any US authorities and US companies that ask the US government) to the servers they are managing, whatever the location, as long as they are reachable from the USA.

          1. Lee D Silver badge

            Re: What about Google's stuff?

            Neither of you guys saw Microsoft (US)'s court case where that literally did not happen because it could not happen because Microsoft (US) and Microsoft (EU) are unrelated companies each subject to their own jurisdictions, and each storing only the data for their respective clients.

            This is literally what the US attempted, and Microsoft not only did not co-operate... they couldn't. Microsoft (EU) basically refused the request, and anyone who was party to enacting it in the EU (or even allowing Microsoft (US) to enact it) would be charged in the EU.

            Sorry, but your example is literally what DOES NOT HAPPEN because the US jurisdiction ends at the US borders.

            1. I could be a dog really Bronze badge

              Re: What about Google's stuff?

              it could not happen because Microsoft (US) and Microsoft (EU) are unrelated companies each subject to their own jurisdictions, and each storing only the data for their respective clients

              Are you referring to the case where immediately after the CLOUD act was passed, MS did hand over the data without any protest ? Thus proving beyond any doubt whatsoever that the US company did have the ability to lift data straight from a server located in Ireland.

              Now, things could have changed in the 4 1/2 years since, but having demonstrated that they could do what they claimed was impossible back then, I'd need better assurance than them telling me it's not possible - how do I know that what they say is impossible will be something else they later demonstrate to be trivially easy ?

      2. nobody who matters

        Re: What about Google's stuff?

        ".....Google were the first out of the door with a full GDPR compliance statement, updated regularly and for Google For Education, you can select your data storage location very simply. As far as I know, there's nothing that they do wrong there...."

        Really?? Is that the same Google which until fairly recently made you perform 21 seperate clicks across three pages to opt out of everything (or at least everything they allowed you to opt out of - or at least led you to believe they were allowing you to opt out of).

        And bearing in mind that opted out is supposed to be the default position under GDPR, and it should be for the user to physically opt in.

        Google have said and published lots on the subject of how privacy and security compliant they are over the years, but every time someone delves a bit below the surface, they find that the statements are either misleading or downright lies.

        Nowadays of course, nobody believes a word of it.

        1. Anonymous Coward
          Anonymous Coward

          Re: What about Google's stuff?

          Good to see someone else raising the previous Google issue of 21 separate clicks (actually around 33 operations, including scrolling down).

          I wrote about those step on here years ago, probably 10 years ago, and it's taken until now, to finally get a proper (French regulator) definition of what complying simply with GDPR entails.

          That to comply with GDPR, the options must display zero bias to either opt in, or opt out. i.e. opt out can't be more steps than to opt-in.

          And yet, there are still hundreds of websites that don't conform to this, and even Google still requires you to scroll down to see the choice of the two options.

    3. storner

      Re: What about Google's stuff?

      Danish schools have been using Google Chromebooks and Google tools for several years. Then the Danish Data Protection Agency (which is definitely not very eager to tread on anyones toes) came up with a ruling saying "you cannot use Google in schools" after a parent complained that their kids' personal data ended up in the US.

      It's just the same as the german Office 365 decision.

      And of course all of the schools and local governments are up in arms about it.

      1. Pseu Donyme

        Re: What about Google's stuff?

        Indeed, see:

        https://edpb.europa.eu/news/national-news/2022/danish-dpa-imposes-ban-use-google-workspace-elsinore-municipality_en

        Nutshell summary: Google is not a viable alternative.

      2. I could be a dog really Bronze badge

        Re: What about Google's stuff?

        And of course all of the schools and local governments are up in arms about it

        To which the proper response is "tough s**t - you shouldn't have been breaking the law in the first place - would you prefer jail time for the senior people who signed off on the illegal activity because they didn't perform due diligence ?"

  5. elsergiovolador Silver badge

    Too big to fail

    This is the problem with capitalism that has not been regulated properly.

    Big corporations essentially get to make their own laws and do whatever they want.

    A fine for big corporation is just a cost of doing business, for SMEs is often life changing.

    If corporation grows beyond certain point by law it should be divided into independent entities.

    We have now situations when a corporation starts "start up" divisions, looking out what small businesses are up to and copying best ideas using their available bottomless funding.

    If you are not born into the tech royalty, you'll always be an employee, a serf.

    1. Throatwarbler Mangrove Silver badge
      Thumb Down

      Re: Too big to fail

      Except, as you will note, the DPK has forbidden the use of M365 in schools and government offices, which means those entities will need to find an alternate solution and Microsoft will lose their business, which suggests that regulation is happening effectively.

      1. Neil Barnes Silver badge

        Re: Too big to fail

        Forbidden from when? This week? Next week? Next year? And meanwhile, MS are collecting the subscription payments for systems that remain in place.

        1. eldakka

          Re: Too big to fail

          > Forbidden from when?

          As of the ECJ Schrems II judgement on 16 July 2020.

          If they are using it right now, they are in breach of the law.

          This is in effect a clarifying statement that says "we consider using O365 to come under the Schrems II ruling". Therefore today the government could start prosecuting schools or governmnet agencies that are using O365, however in all liklihood they'll give them a grace period to get off it, but that's entirely voluntary by the prosecutors office (under direction from the governmnet) to do that.

          1. localzuk

            Re: Too big to fail

            Another outcome is that this ruling opens schools to being sued should they continue to use it. Things would change very quickly when a school started losing money from it.

            1. Lon24

              Re: Too big to fail

              There are two issues here: Are they in breach of the law? Yes, if DSK is authoritative. Secondly, what happens if they are taken to court?

              IANAGL but most judicial systems try to make the punishment fit the crime - unless the penalty is pre-defined by law. Hence if a school could show that on receiving the command to drop Microsoft365 they took all reasonable steps to do so in a timely manner. In other words what we might describe as a conditional discharge or less and if a civil case an award of one euro might be the 'punishment'.

              The relevant question is what is timely? I'd be looking to some independent educational assessment of how fast it could be done without seriously damaging current student learning. That's not tomorrow. Whether it's next school year or more would hang on the balance of evidence of which we, here, know little.

              It might be reasonable to have a test case to define that if DSK doesn't. But if I was a school's IT head I'd be downloading LO/Nextcloud or other open equivalents before calling my lawyer.

              Meanwhile in Ofcom Towers you can bet they are looking to make the GDPR replacement Microsoft friendly. Which will likely lock our IT even further out of Europe. Is that their objective?

              Oh, and does using Win11 fall foul too with it's mandatory MS accounts?

    2. Anonymous Coward
      Anonymous Coward

      Re: Too big to fail

      "We have now situations when a corporation starts "start up" divisions, looking out what small businesses are up to and copying best ideas using their available bottomless funding."

      This a thousand times, but if you post on here about about large corps subsidising business in one area using profits and tax manipulation from another, you usually get down votes.

      The goal of large corps is to build monopolies or oligopolies to exploit the market and extract extra profits from consumers. Large corps are actually anti-capitalist, ideally you need a mix of medium size businesses to exploit scale of manufacturing/ services and small business' to provide competition and mass employment.

  6. Henry Wertz 1 Gold badge

    Have it both ways

    I like how the Microsoft spokesman is like there's no problem with data protection, but they have "implemented many suggested changes to our data protection terms."

    Anyway, good on the Germans. I'm a believer in privacy and I'm glad they are looking at how data is actually handled instead of listening to bland assurances that everything is fine.

    1. Strahd Ivarius Silver badge
      Facepalm

      Re: Have it both ways

      before it was:

      "we are complying with the GDPR"

      now it is:

      "we are really complying with the GDPR"

      the processes stay the same

  7. Anonymous Coward
    Anonymous Coward

    scalable collaborative document server subscriptions

    For educational use, collaborative functionality should be the norm. It's a huge help to teachers and students for enabling assistance and grading. (Of course, it can supplemented by email or printed pages when things go wrong, but that should be the exception rather than the norm.)

    "LibreOffice Online" is open source collaborative server software provided by The Document Foundation (TDF). However, as the web page states explicitly, on attempts at large scale usage (>10 users) LibreOffice Online will display a prominent "not supported" warning and a link to this page, while continuing to function - in order to prevent worse things from happening.

    The suggested way forward is to hire consultant/engineers from a short list of "LibreOffice Certified Developers". However, that strategy has two problems:

    - it is not a solution that scales well.

    - it is very difficult to determine costs.

    A more efficient solution would be competing companies that offer scalable server subscriptions with up front pricing (not restricted to Libre Office, of course). The EU as a block could define that as the recommended business interface for educational institutions requiring document software as well as offering 10 years no tax on company profits and sales.

    What really should be avoided is crony capitalism where some politicians pick a incompetent club member to manage a subsidized monopoly on offering the EU (or the French, or the German) collaborative document service.

    1. Twanky
      Coffee/keyboard

      Re: scalable collaborative document server subscriptions

      I'll start by admitting I'm out of touch with educational use of IT. I'm from an era when 'the dog ate my homework' was a (very unlikely) possibility. My daughter is a teacher but she works in 'early years' where I don't think the kids' inability to use M365 is particularly relevant. As a possibly relevant side-issue she says that in recent years she's seen a large increase in kids starting school who are completely non-verbal (not even 'yes' or 'no') and still in nappies/diapers.

      I take issue with: For educational use, collaborative functionality should be the norm. It's a huge help to teachers and students for enabling assistance and grading. (Of course, it can supplemented by email or printed pages when things go wrong, but that should be the exception rather than the norm.)

      Why should this be the norm? Why should multiple people be able to work on a document/spreadsheet at the same time? It's possibly useful when you want to teach older kids about teamwork but in my (ancient) experience of paper-based school collaboration projects a couple of kids do all the work and the rest of the 'team' enjoys the credit...

      Hmm, come to think of it, that is a valuable lesson.

      icon: modern equivalent of 'the dog ate my homework'----->

  8. VoiceOfTruth

    I wonder if Windows itself is GDPR compliant

    All that snooping on typing, where does it go?

    1. Pirate Dave Silver badge

      Re: I wonder if Windows itself is GDPR compliant

      All that snooping on typing, where does it go?

      Over seas, in the breeze, why, didn't you know?

      Redmond reads what was writ, and as quick as a flash,

      Out the other side tumbles a box full of cash.

      'Til the Law takes a look at their working machine,

      And decrees, with a frown, it's to children too mean.

      All that snooping on typing will not be allowed,

      Kick the state and the schools from the Microsoft cloud.

      Or something like that...

  9. captain veg Silver badge

    Microsoft 365 products meet the highest industry standards

    Q. How many Microsoft engineers does it take to change a light bulb?

    A. Just the one. Bill Gates declares darkness to be an industry standard.

    -A.

  10. eldakka

    a Microsoft spokesperson said: "Microsoft 365 products meet the highest industry standards for the protection of privacy and data security. ...
    Making something an industry standard doesn't magically make it legal.

    This is Microsoft admitting that the industry standard is in breach of the law and that anyone following this industry standard is thus in breach of the law.

    1. Pirate Dave Silver badge

      I was thinking more along the lines of - if you're the 800-pound gorilla in the "industry", you pretty much get to set the "standard". And if you set the standard low enough to walk over flat-footed, well, it's still the "highest industry standard".

  11. localzuk

    Wonder if the UK will take note

    Or, more likely the data protection rethink will eliminate this sort of thing and allow us to ship data to the USA without a care in the world...

    1. Anonymous Coward
      Anonymous Coward

      Re: Wonder if the UK will take note

      Family issue: You have to trust your Big Brother, don't you.

  12. thondwe

    Do wonder if personalities are getting in the way in Germany - Clearly there's some big fans of open source solutions (and possibly much anti-US/MS sentiment)? in German government circles, but they've tried this push before (Munich City tried and failed)? Problem is that without significant investment you're not going to beat MS/Google/etc

    1. Phones Sheridan Silver badge

      Munich tried, failed, and are now trying again

      https://winbuzzer.com/2020/05/14/munich-ditches-microsoft-office-and-windows-in-favor-of-open-source-xcxwbn/

    2. localzuk

      A good idea can fail through bad implementation. So, Munich's failed scheme is not evidence itself that doing this is impossible, more that the way they implemented it was the problem.

      Same happens constantly in the proprietary world - look at how often the big names end up being sued for things going awry during implementation.

      1. I could be a dog really Bronze badge

        Not to mention, before it was a case of "we want to do this for ${reasons}". And we all know that there will have been some very powerful lobbying going on and people who really wanted it to fail.

        Now there's an element of "we need to do this because ${law}".

  13. Anonymous Coward
    Anonymous Coward

    Yep, I agree with the regulator here. It is absolutely impossible to use O365 without some elements of personal data being broadcast back to MSlurp.

    PiHole does an impressive job of filtering "some" but you can't stop all the traffic.

    I'd be willing to pay for a "commercial" office suite of software that didn't come with the crapware and slurpiness. Of course, you don't have to, because LibreOffice. (Donations to the cause appreciated).

  14. Anonymous Coward
    Anonymous Coward

    Matthias Pfau statement that schools should move to Linux and open office is frankly ludacris.

    As much as a fan I am they don't even begin to replace what's provided within the Microsoft ecosystem.

    The education sector has moved on from the era of a word processor being enough.

    1. Adair Silver badge

      Sometimes morality and guts require that you just walk away from the bullshit, and don't look back.

      MS do not define 'general purpose computing', however much they may try to bullshit us and themselves, that they do.

      Life goes on, with and without MS.

      (happily free of MS bullshit since 2008)

    2. localzuk

      Having worked in education IT for 16 years now, I feel it safe to say that you're entirely wrong.

      The technology exists to replace everything a school does with open source software. The problematic part is a) getting knowledgeable staff b) being able to afford those staff and c) the enormous upheaval of getting everyone used to all this new stuff. Hell, moving from Windows 7 to Windows 10 was a big change for many!

      The VAST majority of tools in use in education these days are web based.

      1. Anonymous Coward
        Anonymous Coward

        I can't see how anything you've said proves me wrong.

        In fact I'd call it a ringing endorsement.

        Having also worked in education IT for a similar amount of time, I'm well aware that schools do not have the budget or ability to hire the staff capable of running on a fully open source stack.

        Technology existing is not enough - in the real world all the things you mentioned are factors that make it completely unrealistic.

        It's hard enough to get decent technicians let alone senior IT staff capable of developing and supporting that sort of system.

        Even once you've crossed all those hurdles and managed to get this mythical stack running how is the school going to support it once you've moved on?

        Guys like you and me who are both extremely competent and willing to work for £45k are pretty rare and getting rarer.

        >The VAST majority of tools in use in education these days are web based.

        Like Office 365 you mean? Data protection cross borders is precisely the matter at hand.

  15. nobody who matters

    ".....Microsoft 365 products meet the highest industry standards for the protection of privacy and data security.....".

    Doesn't say much for the privacy and security of lower standard products then does it.

  16. Tron Silver badge

    Bring back the 1990s.

    It really doesn't matter if MS can see German school work. But perhaps all this weird data nationalism may push us back to having software on local media, storing files on local media, rather than the cloud. Which would be much better than subscriptions for online services that can have features removed at the drop of a hat, charging you every month, and storage of your files on someone else's server, that can be accessed and scanned by third parties such as your own government, via back doors.

    Bring back the 1990s. Just not those AOL CDs.

  17. M.V. Lipvig Silver badge

    PLEASE make this happen

    "Instead of relying on voluntary cooperation, much harsher consequences must be drawn here; for example, by using completely different systems. Linux with Open Office is a very good alternative to which schools and authorities should switch immediately."

    A whole new generation raised not using Linux means the next generation of business leaders won't be "M$ or nothing" people. And, we can eliminate the scourge known as the Windows in the Gates of Hell.

  18. Anonymous Coward
    Anonymous Coward

    Getting the feeling

    Is anyone getting the feeling that Cloud storage was a ruse dreamed up by the CIA to make their job a lot easier. Being old, I remember the days when I owned the drives that my files were stored on, and an internet connection was not required to type up a job application or file away my favourite recipes

  19. Alf Garnett

    Here's an easy solution that will save money in the budgets of public schools and other institutions. Use LibreOffice instead. It's free and it doesn't require any information from users. I've used it for years and it NEVER asked me for any personal or any other information. German public schools can save money by not buying MicroShaft products and spend the money on fuel to keep the schools warm this winter.

  20. Grogu yoda

    It's back to LaTeX for you. The Borgs behind Open Office, Libre Office and Office 365 are Dead. You'll see unfixable bugs in them.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like