<https://noyb.eu/en/noyb-win-microsoft-365-education-tracks-school-children>
noyb win: Microsoft 365 Education may not track school children
------------------------------------------------------------------------
* Original Complaint from 2024
<https://noyb.eu/de/microsoft-violates-childrens-privacy-blames-your-local-school>
* Decision by the DSB (PDF)
<https://noyb.eu/sites/default/files/2025-10/Microsoft_Education_365_Bescheid_bk.pdf>
*Three-way Responsibility Shifting.* During the COVID pandemic many
schools quickly shifted to the "cloud" and Big Tech was quick to provide
"educational" products. However, Microsoft shifted all responsibility to
comply with privacy laws onto schools and national authorities - that
have little to no actual control over the use of student data. Local
schools are usually not powerful enough to push back against Microsoft -
leading to a "take it leave it" situation. When faced with an student's
access request to personal data processed by Microsoft 365 Education,
this led to massive finger pointing: Microsoft simply referred the
complainant to its local school. However, the school of the complainant
could only provide minimal information - as it does not have any way to
access information that rests with Microsoft. No one felt able to comply
with GDPR rights. The complainant, represented by noyb, consequently
lodged a complaint against all possible players (the local school, the
local board of education, the Ministry of Education and Microsoft US)
with the Austrian DSB.
Felix Mikolasch, data protection lawyer at noyb: “/Microsoft tried to
shift almost all responsibilities for Microsoft 365 Education to schools
or other national institutions. The Austrian DPA now decided that this
does not fly. We welcome this decision/.”
*Unlawful tracking of kids and no access. *The Austrian DSB found
several GDPR violations. First, it found Microsoft 365 Education used
tracking cookies without consent, which was found to be illegal. Both
the school and the Austrian Ministry of Education claimed during the
procedure they were not aware of such tracking cookies before the
complaint. The DSB now ordered the deletion of the relevant personal
data. Second, Microsoft violated the right to access under Article 15
GDPR by not providing full access to the data of the complainant.
Microsoft will now have to provide such access. Microsoft will also have
to explain in clear terms what it means that it uses data for its
business purposes such as “business modeling” or “energy efficiency” and
if it sent personal data to LinkedIn, OpenAI or the tracking company Xandr.
Felix Mikolasch, data protection lawyer at noyb: /“Microsoft usually
argues that its educational products are privacy friendly. This
procedure showed that this is not really the case.”/
*Microsoft leaves schools and authorities in the dark. *The decisions
also holds that the complainant’s school and the Austrian Ministry of
Education should provide further information, in particular which
information of students was transmitted to Microsoft. However, the
Austrian DSB also stressed that Microsoft did not provide the Ministry
of Education with full information regarding the data processing in
Microsoft 365 Education, which makes it basically impossible for local
schools to comply with their obligations under Article 13 and 14 GDPR.
Felix Mikolasch, data protection lawyer at noyb: “/The decision by the
Austrian DPA really highlights the lack of transparency with Microsoft
365 Education. It is almost impossible for schools to inform students,
parents and teachers about what is happening with their data/.”
*Microsoft Ireland bypassed. *Microsoft also tried to argue that in fact
their EU subsidiary in Ireland is in charge of Microsoft 365 products in
Europe. The DSB rejected that argument and held that in fact Microsoft
US is making the relevant decisions. Minor decisions in Ireland to
adjust a product for the EU do not shift responsibility (and hence the
jurisdiction for the case) to Ireland. US big tech companies regularly
argue they fall under Irish jurisdiction, because the Irish Data
Protection Commission is known to hardly enforce EU law.
*Likely far-reaching consequences for Microsoft 365.* Microsoft 365
Education is used by millions of students and teachers across Europe.
Millions of other people use the standard "Microsoft 365" at companies
and authorities in Europe. Properly informing employees, students and
other users about how their data is used is mandatory by law - but often
factually impossible for commercial customers. If Microsoft does not
provide clear information and more powers to its commercial customers,
using Microsoft 365 is hardly compliant with EU law. The German data
protection authorities
<https://www.bfdi.bund.de/SharedDocs/Downloads/DE/DSK/DSKBeschluessePositionspapiere/104DSK-Festlegung-Microsoft-Onlinedienste.pdf?__blob=publicationFile&v=2>
have already considered Microsoft 365 to fall short of the requirements
of the GDPR.
Max Schrems, data protection lawyer at noyb: “/We have 'big tech'
providers trying to get all the power, but shifting all responsibilities
to European commercial customers. If Microsoft does not fundamentally
change the setup of their products, European commercial customers will
not be able to comply with their obligations/."
