Starting next year, everyone on campus will be working ‘in the cloud’ with a Microsoft Office365 account. The intention is to make collaboration and working from home even easier. But according to software security expert Bart Jacobs, the project is in conflict with European regulations after a recent European Court ruling. ‘It is, in fact, illegal.’

It is a routine every student or employee of the university follows nearly every day when starting work. You use your U or S number to log into a computer on campus or at home using VPN. The e-mail and files you gain access to are physically stored on campus, on one of the servers in the ISC buildings.

But this will soon change. From February 2021, the university will slowly roll out Office365 (under the new name Microsoft365) and we will no longer work on local systems, but rather in the cloud, on computers owned by Microsoft. The intention is to make it easier to share documents and calendars with others on campus. It also won’t matter where you are — on campus or at a conference in Canada — your desktop will look the very same when you log in. Radboud University has earmarked about 6 million euro next year for ICT projects such as Office365.

Bad Negotiating Position

A more efficient ICT system sounds wonderful and efficient, but there are a number of objections to the implementation of a cloud service. This is according to Digital Security Professor Bart Jacobs of iHub, the interdisciplinairy hub for security, privacy, and data governance at Radboud Universiteit. Jacobs is a nationally and internationally renowned privacy expert and is also a member of the national committee currently evaluating the Wet op inlichtingen- en veiligheidsdiensten (intelligence and security services act).

‘Firstly, as a university, you are putting yourself entirely at the mercy of an American software giant,’ he explains on the phone. ‘You won’t be able to escape Microsoft, and that puts the university in a bad negotiating position when changes have to be made.’

Illegal

However, there is a more pressing problem: the use of an American cloud service contravenes European privacy legislation. ‘There is no legal basis for implementing it. That means that it is illegal.’

Here is the reason. Privacy regulations in the United States are a lot less strict than those of the European Union. This is why it is far easier for American security services such as the NSA to have a look at the digital information on citizens than is the case in Europe, also as a result of the CLOUD Act and the anti-terrorism Patriot Act. This includes information such as the content of Gmail or Facebook accounts and file-exchange services such as DropBox. However, it also includes documents in the cloud, such as those in Office365.

To safeguard the privacy of European citizens, the EU and the US made an agreement in 2016, the ‘Privacy Shield’ agreement. But this agreement does not comply with European privacy legislation, ruled the judges of the Court of Justice of the European Union last July. That case was filed by the Austrian privacy activist Max Schrems who had already successfully challenged a predecessor of Privacy Shield a few years earlier.

Bomb

‘That ruling also sets a bomb underneath the Office365 project at Radboud University,’ says Jacobs. ‘The privacy of users will be insufficiently guaranteed. In principle, American security services can request information from Microsoft. And that company is storing it unencrypted. I suspect that if a student or employer goes to court in the Netherlands, they will win and the university will have to stop using Office365 because there is no legal basis. This is not specific to us; it is an issue everywhere in Europe.’

The Rector Magnificus previously spoke publicly in no uncertain terms about the influence of American technology companies.

There is a third reason why Jacobs thinks that the implementation of Microsoft365 is worth noting. ‘At the end of last year, the Rectors of all universities shared their collective concern about the big role that technology companies play at universities in de Volkskrant.’ In an opinion piece, they wrote that ‘the rapid digitisation of Dutch higher education means that we are increasingly reliant on the Googles and Microsofts of this world.’ The university administrators fear that this is a threat to public values such as academic autonomy.

To put a halt to this process, or to at least evaluate it properly, the Association of Universities in the Netherlands (VSNU) established a special project group for public values in education. Jacobs is a member of this committee, which will publish its recommendation next year. What this recommendation will look like cannot be disclosed by Jacobs at this moment. ‘But as a university, you should ask yourself whether it would be wise to wait for it. Especially when your own Rector has been so outspoken about the power and influence of American technology companies.’