A German state have announced that they are banning the use of Office 365 in their schools citing GDPR reasons (read article here). The issue arose, according to the article in the Verge, following Microsoft closing their German data centre resulting in a potential risk where German personal data may be accessed by US Authorities.
My view on this is that there has been a certain amount of overreaction on the part of the German state where viewed as a GDPR related action. I can understand their concerns in relation to unauthorised access to data by US authorities. This would represent a GDPR risk however it takes a very narrow view of the situation.
A broader view would include the implications for not using Office 365 to store data. This means that schools are now storing their data locally on servers most likely within individual schools. I would suggest that the ability of individual schools, school groups or local authorities to secure their local data including appropriate monitoring and patching of servers, etc is likely to be far short of what Microsoft provide in their data centres. They are unlikely to have the resources, both technology and staffing, or the skills and experience. As such removing one GDPR risk in relation to potential unauthorised access by US authorities has simply replaced it with another risk being a reduced level of security for data in each school. I would suggest that the new risk is higher than the risk they have mitigated in banning Office 365.
In all this discussion there is a wider, more important, question; who has my data including any telemetry data resulting from system usage? The answer is sadly that this is very difficult to identify. Every time we use an Android phone, do a google search, order from Amazon, access Office 365 or do any manner of other things using Internet connected technologies data is being generated and stored. It is also often shared and then combined with other datasets to create totally new datasets. Consent for data gathering is clear in very few sites/services. In most it is buried in detailed terms and conditions written in complex legal’eese. In some cases the terms and conditions are clearly excessive such as in the recently trending FaceApp where use of the app grants the company a perpetual license to display “user content and any name, username or likeness providing in connection with your user content” (see a related tweet here). Basically when you provide your photo to the app they can keep it and use it as they see fit from now until the end of time. There is also the use of tracking cookies as well, where I have large number of websites seeking permission to use cookies but without any real details as to what data is being stored or why the data is needed.
It is the wider question for which I applaud the German state as they are helping to raise the question of data, how it is gathered, used and shared. The waters are incredibly murky when it comes to how the big IT companies, such as Google, Facebook and Microsoft, manage data. We all need to stop and examine this situation however not as individual states or countries but on a global and societal level. As to Office 365 being a GDPR risk; I suppose it is but then again there are very few, if any systems which do not represent some sort of risk and I doubt we are going to put down our phones, stop searching google, buying for amazon, etc.
Technology and Learning