After the Snowden revelations, US-based Big Tech companies raced to reassure their non-US customers that the NSA wasn't raiding their cloud-based data, moving servers inside their customers' borders and (theoretically) out of reach of the NSA; then came the Cloud Act (Clarifying Lawful Overseas Use of Data Act), in which the US government claimed the right to seize data held on overseas servers and the companies began consolidating their servers back in the USA.
Microsoft recently moved its cloud servers — the ones hosting data for Office 365 users — out of Germany to the USA, a mere two years after their decision to site data-centers inside Germany.
The privacy commissioner for the state of Hesse has responded by advising schools to discontinue their use of Office 365 and Windows 10 (which transmits a steady stream of usage data to Microsoft). The move came after Microsoft repeatedly failed to answer the commissioner's repeated requests for clarification on its data-handling practices.
As Office-Watch points out, all of the US Big Tech companies have a version of this problem — even if they continue to locate servers in Germany, the specter of the Cloud Act means that all that data might as well be in Fort Meade.
"…in connection with the use of Office 365 in the cloud, …. the security and traceability of the data processing processes are not guaranteed. Therefore the data processing is inadmissible" – Translated from original German.
It seems Microsoft is staying quiet on the issue
"… data is also transmitted when using Office 365. whose contents have not been finally clarified despite repeated inquiries at Microsoft. " – Translated from original German.
(via Naked Capitalism)