The French government has decreed that free versions of Microsoft Office 365 and Google Workspace shouldn’t be used in schools. The French Minister of national education confirmed that the government was deeply concerned that the free version of the software wasn’t compliant with GDPR regulations on privacy.
In addition, the French felt that giving the software systems away for free was anti-competitive, and amounted to a form of dumping. The ruling comes not long after the Schrems II decision from the EU Court of Justice (ECJ) in 2020, which invalidated the US-EU Privacy Shield Agreement.
At the center of the issue is the fact that American software providers still store their user data on US servers. This makes the data liable to seizure by the US government, which is at odds with the privacy rules surrounding EU citizen data protections under the GDPR.
In the Schrems II case, the ECJ found that ‘the data surveillance laws and compliance requirements for data processors in the United States made it impossible for firms to ensure that, once transferred, individuals’ data in the United States received equivalent protections to those in the EU.’
Specifically, the Foreign Intelligence Surveillance Act allows US intelligence services to collect data on foreign nationals, which is incompatible with the terms of the EU GDPR regulations.
As a result, the flow of client data from the EU to the USA was severely impacted, and many European companies and agencies stopped using American software to avoid breaching the terms of the GDPR — and this is also where the US firms professed to run their data centers inside the EU territories.
Microsoft Trying to Comply
This latest move is just the most recent example of the tussle between the EU and US authorities over access to European citizen data. The authorities in Germany also blocked the use of Microsoft 365 in classrooms in the state of Hessen in 2019.
A similar ruling in Berlin in 2020 stated that any company or controller which transfers personal data to the USA is required to ‘switch immediately to service providers based in the European Union’ or a country with equivalent privacy laws or face the possibility of a fine of up to €20 million or 4% of annual worldwide turnover.
Since that time, American companies like Google, Facebook, and Microsoft have been scrambling around trying to comply, but as this latest decree shows — not very successfully. However, these companies have now stated that they’re working towards managing data on the EU’s terms.
On top of this, there have also been moves by the current US administration to enact the Trans-Atlantic Data Privacy Framework to replace the Privacy Shield. This should permit a free flow of compliant transatlantic data once again.
However, by that time it’s likely that many EU states will have made a transition to other software systems based wholly in the EU. Including open-source products and services which don’t attract any data transfer uncertainty.