According to the authorities, they say that this is because of the cloud nature of Office 365, which is actually one of the features that Microsoft is touting. Software that relies on cloud is useful as it allows users to sync data across multiple devices at once, but it seems that there are some concerns that the use of cloud could potentially expose user data.
This includes information like software diagnostics to even email subject lines or sentences typed out in Word, thanks to the use of Microsoft’s translation or spellchecker tools. It was also concerning that this information would be sent back to the US where Microsoft’s servers are kept. Previously, the company had produced a version of Office that had its servers based in Germany, but it has been noted that this has since shut down back in August of 2018.
According to the Hesse Commissioner for Data Protection and Freedom of Information, Michael Ronellenfitsch, “Public institutions in Germany have a special responsibility regarding the admissibility and traceability of the processing of personal data.”
Update – Microsoft has since issued a statement which reads:
We routinely work to address customer concerns by clarifying our policies and data protection practices, and we look forward to working with the Hessian Commissioner to better understand their concerns. When Office 365 is connected to a work or school account, administrators have a range of options to limit features that are enabled by sending data to Microsoft. We recently announced (here and here), based on customer feedback, new steps towards even greater transparency and control for these organizations when it comes to sharing this data. In our service terms we document the steps we take to protect customer data, and we’ve even successfully sued the U.S. government over access to customer data in Europe. In short, we’re thankful the Commissioner raised these concerns and we look forward to engaging further with the Commissioner on its questions and concerns related to Microsoft’s offerings.