The Austrian Data Protection Authority (DSB) has ruled that Microsoft unlawfully installed tracking cookies on a student’s device through its Microsoft 365 Education platform, marking a second victory for privacy rights group noyb in its campaign against the tech giant.
The DSB found that Microsoft violated key provisions of the GDPR by failing to obtain valid consent before collecting data and has given the company four weeks to cease such practices.
The case originated in a June 2024 complaint filed by the European Center for Digital Rights (noyb), representing a student at an Austrian school. On July 31, 2023, while using Microsoft 365 Education to edit a Word document in the browser, the student had several tracking cookies automatically installed on her device without her consent. These cookies, including MC1, FPC, MSFPC, MicrosoftApplicationsTelemetryDeviceId, and ai-session, collected browser data and user activity and were linked to Microsoft’s advertising and analytics infrastructure.
In its ruling, the DSB determined that Microsoft Corporation, not its Irish subsidiary, acted as the data controller responsible for this processing. The authority found that Microsoft used the data not only to deliver its service but also for its own purposes, such as marketing, product development, and internal reporting. Consequently, the data collection was not limited to what was necessary for the educational function requested by the student, and therefore could not qualify as “technically necessary” under the Austrian Telecommunications Act or fall under any valid legal basis under Article 6 of the GDPR.
Microsoft argued that its Ireland-based entity was responsible for operations in the EU, an oft-used defense by US tech firms seeking to benefit from the Irish Data Protection Commission's more lenient enforcement. However, the DSB rejected this, finding that the US parent company exerted decisive control over product development, cookie deployment, and data collection strategy for Microsoft 365 Education. This reinforced Microsoft Corporation’s direct accountability under EU law.
Microsoft 365 Education is widely deployed across Europe, with over a million students and teachers in Austria alone using it. The Austrian Ministry of Education, which entered into framework agreements with Microsoft for cloud services in schools, told investigators it was unaware of the tracking cookies embedded in the educational suite. According to the DSB, neither the ministry nor local administrators had meaningful control over cookie behavior, nor the ability to disable tracking features.
This decision follows a previous ruling in October 2025, in which the same authority found Microsoft in breach of Article 15 of the GDPR for denying the student access to her own data processed by Microsoft 365. In this latest case, the DSB not only validated the complaint but also issued a formal order under Article 58(2)(f) GDPR, instructing Microsoft to stop processing personal data through non-essential cookies unless proper user consent is obtained. The ruling explicitly classifies the five cookie types as non-essential and states that their continued use without consent constitutes unlawful data processing.
Felix Mikolasch, a data protection lawyer at noyb, criticized Microsoft’s approach, stating, “Tracking minors clearly isn’t privacy-friendly. It seems like Microsoft doesn’t care much about privacy, unless it is for their marketing and PR statements.”
Max Schrems, chair of noyb, called on public institutions and companies to reconsider their use of non-compliant tools, warning that Microsoft’s repeated non-conformance with EU privacy rules poses a systemic risk for its widespread deployment across Europe.
Leave a Reply