The Austrian data protection authority, the DSB, has ruled that Microsoft 365 Education illegally tracks students. The software uses student data for its own purposes and refused access to personal data, putting schools in an impossible position.
During the COVID pandemic, schools around the world rapidly switched to cloud services. Microsoft immediately offered “educational” products. At the same time, responsibility for privacy compliance was shifted to schools and national authorities.
The fundamental tension came to light when a student requested access to his personal data. Microsoft simply referred him to the local educational institution, which in turn could only provide minimal information because it does not have access to data held by Microsoft. The result: no one could guarantee GDPR rights.
“Microsoft tried to shift almost all responsibilities for Microsoft 365 Education to schools or other national institutions,” responds Felix Mikolasch of privacy organization noyb. The Austrian DPA has decided that this is not acceptable.
Tracking cookies without consent
The regulator discovered several GDPR violations during the investigation. Microsoft 365 Education appears to use tracking cookies without consent, which is illegal. Remarkably, both the school involved and the Austrian Ministry of Education claimed during the proceedings that they were unaware of these tracking cookies.
For this violation, the Austrian authority has now ordered the deletion of all relevant personal data. In addition, Microsoft violated the right of access under Article 15 of the GDPR by failing to grant the complainant full access to their data.
Lack of transparency
The supervisory authority found that Microsoft did not provide the Ministry of Education with sufficient information about the data processing. This makes it practically impossible for schools to comply with their GDPR obligations.
“The decision by the Austrian DPA really highlights the lack of transparency with Microsoft 365 Education. It is almost impossible for schools to inform students, parents and teachers about what is happening with their data,” said Mikolasch.
Microsoft must now explain exactly what it means when it says data is used for “business purposes,” such as “business modeling” or “energy efficiency.” It must also clarify whether personal data has been shared with LinkedIn, OpenAI, or tracking company Xandr.
Ireland construction rejected
During the proceedings, Microsoft attempted to argue that its Irish subsidiary is responsible for Microsoft 365 products in Europe. The regulator rejected this argument and determined that Microsoft US makes the relevant decisions. American tech companies regularly claim to fall under Irish jurisdiction because the Irish privacy regulator is known for hardly enforcing EU law.
The ruling could have far-reaching consequences for Microsoft’s business model in Europe, where privacy laws are increasingly enforced. Microsoft 365 Education is used by millions of students and teachers in Europe, while the standard Microsoft 365 version is used by countless companies and government agencies.
Providing users with accurate information about data processing is a legal requirement. Still, without clearer information and more powers for customers, the use of Microsoft 365 seems hardly compatible with EU law. German privacy regulators have previously assessed Microsoft 365 as insufficient for GDPR requirements.
Tip: Microsoft 365 outage affects Teams and Exchange worldwide