The state's data-protection commissioner has ruled that using the popular cloud platform's standard configuration exposes personal information about students and teachers "to possible access by US officials".
The ruling by the Hesse Office for Data Protection and Information Freedom follows several years of domestic debate about whether German schools and other state institutions should be using Microsoft software.
Besides the details that German users provide when they're working with the platform, Microsoft Office 365 also transmits telemetry data back to the US. The Germans are not the only ones who are worried. Dutch investigators discovered that that data could include anything from standard software diagnostics to user content from inside applications, such as sentences from documents and email subject lines.
This contravenes the EU's General Data Protection Regulation or GDPR, the Dutch said. We will take their word for it, but we would have thought the safe harbour provisions would have applied.
Microsoft invested millions in a German cloud service, and in 2017 Hesse authorities said local schools could use Office 365. If German data remained in the country, that was fine, Hesse's data privacy commissioner, Michael Ronellenfitsch, said.
Then for reasons only known to itself, Vole shut down the German service. So once again, data from local Office 365 users would be data transmitted over the Atlantic.
Several US laws, including 2018's CLOUD Act and 2015's USA Freedom Act, give the US government more rights to ask for data from US tech companies.