On 4 June 2024, noyb filed two complaints with the Austrian Data Protection Authority (DPA) against Microsoft for violating children’s privacy rights with its “365 Education” services. noyb argues that Microsoft improperly shifts GDPR responsibilities to schools, which lack control over data processing.
Background
Since the pandemic, schools have increasingly adopted digital services like Microsoft 365 Education. However, this adoption has raised significant privacy concerns. Microsoft is accused of using its market power to dictate contract terms, leaving schools with a “take-it-or-leave-it” choice and no negotiating power. Consequently, when students attempt to exercise their GDPR rights, Microsoft deflects responsibility, claiming schools are the data controllers, despite schools having no practical control over the data.
GDPR Violations
The complaint outlines several key violations:
- Tracking Cookies: Microsoft allegedly installed tracking cookies on students’ devices without consent. These cookies collect browser data and track user behavior for advertising purposes. Despite students disabling optional data processing, tracking continued, violating GDPR requirements for consent.
- Transparency Issues: Microsoft’s privacy documentation is described as vague and fragmented, making it nearly impossible for users, including children and their parents, to understand how their data is processed.
- Misleading Controller Role: Microsoft claims schools are the data controllers, yet schools have no access to or control over the data, making it impossible for them to fulfill GDPR obligations. Schools cannot realistically enforce or oversee data processing, creating a compliance regime disconnected from reality.
- Illegal Processing for Microsoft’s Own Purposes: The complaint argues that Microsoft processes personal data for its own purposes, exceeding the scope of data processing as a processor. This includes using data for developing and improving products, which lacks a valid legal basis under GDPR.
Requests
noyb requests the DPA to:
- Conduct a comprehensive investigation into Microsoft’s data processing practices.
- Declare that Microsoft violated GDPR by processing personal data without a legal basis.
- Prohibit Microsoft from further processing data without valid consent.
- Impose fines to ensure compliance and protect students’ privacy.
Not the first rodeo, or is it?
If this sounds familiar it is because the topic has been in the spotlight before, but in Denmark. The Danish DPA has previously sanctioned a municipality (the controller, due to organising the school system) for using Google Workspace (see my post here), and then said that Microsoft raises the same issues (see my post here). In those cases, the ones held responsible are indeed the schools (actually the municipalities that are responsible for the school system) and no direct sanction or requirement concerned Google or Microsoft.
Noyb is finally pointing the finger in the right direction – the qualification of roles between the parties and the overwhelming position of the tech giants, which is what makes this case one to watch closely.
👉 Read the complaints here.
♻️ Share this if you found it useful.
💥 Follow me on Linkedin for updates and discussions on privacy education.
📍 Subscribe to my newsletter for weekly updates and insights – subscribers get an integrated view of the week and more information than on the blog.
