The Austrian Data Protection Authority (DSB) has ruled that Microsoft illegally tracked students via its Microsoft 365 Education suite and violated multiple GDPR provisions, including the fundamental right of access to personal data.
The decision stems from a 2024 complaint filed by privacy advocacy group noyb on behalf of a student, and it holds Microsoft Corporation in the US, the Austrian Federal Ministry of Education, and the student’s school jointly responsible.
The complaint was filed after the student's father, acting through noyb, submitted a data access request regarding Microsoft 365 Education. The request triggered a series of denials and referrals between the school, the Ministry of Education, and Microsoft, with none of the parties able to explain what data was collected, what it was used for, or whether it was shared with third parties. The DSB confirmed in its decision that this lack of transparency violated the student’s rights under Articles 13 and 15 of the GDPR.
Microsoft 365 Education is a cloud-based productivity suite deployed widely across European schools. The Austrian Ministry of Education had entered into a framework agreement with Microsoft’s Irish subsidiary, but the DSB found that key decisions on data processing were made by Microsoft Corporation in the US. As such, the US entity was deemed the main controller, dismissing Microsoft’s attempt to shift legal responsibility to its Irish branch.
The DSB confirmed that Microsoft 365 Education set several non-essential tracking cookies without user consent. These cookies were found to be unnecessary for technical operation and thus required prior consent, which was not obtained. As a result, Microsoft, the Ministry, and the school must now check whether these cookies are still in use and delete any associated data within ten weeks.
Additionally, the DSB ordered Microsoft to provide the complainant with comprehensive and understandable explanations of how it uses student data for internal purposes. Specifically, Microsoft must clarify what it means when it refers to processing data for “business modeling,” “internal reporting,” “energy efficiency,” “fraud prevention,” or “cybersecurity.” The company must also disclose whether any student data was shared with LinkedIn, OpenAI, or Xandr, all of which were detected in telemetry data logs.
The authority found that the school and the Ministry were joint controllers under Article 26 of the GDPR, due to their shared role in deploying Microsoft 365 Education. However, both were found to have failed to adequately inform the student or provide full access to data, largely because Microsoft did not give them the necessary technical insight into how the platform operates.
The DSB emphasized that Microsoft’s explanations, including a general cookie list provided during the procedure, were too abstract and failed to meet the GDPR’s standard for clarity and precision, especially considering the data subjects were minors.
This ruling has potentially wide-reaching consequences. Microsoft 365 Education is used by millions of students and teachers across the European Economic Area. Similar concerns apply to the standard Microsoft 365 platform, used by businesses, government institutions, and NGOs throughout the region. The DSB’s decision aligns with earlier warnings from German regulators that Microsoft 365 does not meet GDPR compliance requirements due to its opaque data processing structure.
Microsoft now has four weeks to respond directly to the complainant with complete access details, while the school and Ministry must respond within ten weeks. All three must also verify whether any unlawful tracking data remains and delete it if found.
Leave a Reply