Austria’s data protection authority has ruled that Microsoft’s widespread educational software suite illegally tracked student data, failed to obtain proper consent for cookies, and did not provide users with access to their own information. The decision, which found the company in violation of Europe’s General Data Protection Regulation (GDPR), stems from a complaint filed by a privacy advocacy group and could have significant repercussions for how student data is handled across the continent.
The ruling by the Austrian Datenschutzbehörde (DSB) addresses several core tenets of digital privacy, concluding that Microsoft 365 Education is not sufficiently transparent about its data processing operations. The privacy group noyb (None of Your Business) initiated the complaint in 2024, arguing that the tech giant’s practices left schools in an untenable position, making it nearly impossible for them to fulfill their own legal obligations to protect student data. As a result of the findings, the regulator has ordered Microsoft to grant the complainant full access to their data and to delete data collected unlawfully. The company must also provide clearer explanations for how it processes user information for its own business purposes.
Systemic GDPR Breaches Identified
The investigation by the Austrian DPA uncovered multiple distinct violations of the GDPR. A primary finding was that Microsoft 365 Education utilized tracking cookies without securing valid user consent, a direct breach of European privacy law. Officials from both the school involved in the complaint and the Austrian Ministry of Education stated during the proceedings that they were not even aware these tracking cookies were being used, highlighting the opacity of the software’s operations. The regulator mandated the deletion of all personal data collected through these means.
Another significant violation concerned the fundamental right of access under Article 15 of the GDPR. The complainant, a student represented by their father, requested access to the personal data Microsoft held on them. Instead of providing the data, Microsoft referred the request to the local school. However, the school could only supply minimal information, as it did not have access to the vast datasets processed and stored by Microsoft. This created a circular problem where neither entity could fulfill the legal request, effectively denying the student their rights. The DSB’s decision unequivocally places the responsibility back on Microsoft to provide this access directly.
A Complaint Rooted in Parental Concern
The case originated from a 2024 complaint filed by the Vienna-based privacy organization noyb on behalf of the father of a minor using Microsoft 365 Education at school. The complainant stated he did not consent to the tracking cookies and was unable to get clear information about how his child’s data was being utilized by the technology giant. Noyb argued that the software platform installed cookies that collect browser data for advertising and other purposes, a practice that could affect millions of students and educators throughout Europe who use the platform.
The rapid and widespread adoption of cloud-based educational tools, including Microsoft 365, during the COVID-19 pandemic provided the backdrop for this issue. As schools rushed to enable remote learning, many turned to comprehensive software suites that included applications like Word, Excel, PowerPoint, and the Teams collaboration platform. While these tools offered immediate solutions, the underlying privacy implications were not always clear. Noyb contended that in this swift transition, Microsoft effectively shifted the legal responsibility for data protection onto individual schools and national authorities, who were ill-equipped to manage or even understand the full scope of Microsoft’s data processing.
Accountability and Corporate Response
Shifting Responsibility to Schools
A central theme in the Austrian regulator’s decision was the rejection of Microsoft’s attempt to delegate its GDPR responsibilities. According to noyb, Microsoft’s position was to direct all data access requests and compliance inquiries to the local educational institutions. However, the DSB found this approach unacceptable, as these schools have no practical way to access or control the data held within Microsoft’s complex infrastructure. Felix Mikolasch, a data protection lawyer at noyb, stated that the decision highlights this untenable arrangement, noting it is “almost impossible for schools to inform students, parents and teachers about what is happening with their data.”
Microsoft’s Official Statement
In response to the ruling, Microsoft has indicated it will study the authority’s decision before determining its next actions. A company spokesperson asserted that its educational products comply with all necessary data protection standards. “Microsoft 365 for Education meets all required data protection standards, and institutions in the education sector can continue to use it in compliance with GDPR,” the company stated. This statement suggests a potential conflict between the company’s interpretation of its legal duties and the findings of the Austrian regulator.
Broader Implications for Educational Technology
The Austrian ruling carries significant weight beyond its immediate jurisdiction, setting a precedent for how educational technology providers are expected to handle student data across the European Union. The decision underscores that technology companies cannot simply outsource their data protection obligations to the schools that are their customers. It reinforces the principle that the entity processing the data retains a high degree of responsibility for ensuring transparency, user access, and lawful consent.
Furthermore, the DSB has ordered Microsoft to clarify what it means by using data for its own “business purposes.” The company must now provide specific information about activities it described with vague terms like “business modeling” and “energy efficiency.” It must also disclose whether it has shared personal data with its subsidiaries and partners, including LinkedIn, OpenAI, or the advertising technology company Xandr. This requirement for greater transparency could force a systemic change in how Microsoft and other EdTech vendors document and communicate their data practices to educational institutions and the public. The ruling serves as a critical reminder of the fundamental privacy rights of students in an increasingly digitized educational landscape.