Microsoft’s education-focused cloud productivity suite, Microsoft 365 Education, is under scrutiny in the European Union following two complaints filed by privacy rights nonprofit noyb (None of Your Business) with Austria’s data protection authority reports TechCrunch.
The complaints allege significant issues with transparency and legality in the processing of minors’ data, raising serious concerns about the tech giant’s compliance with the EU’s General Data Protection Regulation (GDPR).
The first complaint targets the clarity and legal foundations of Microsoft’s data processing practices. According to noyb, Microsoft provides “consistently vague” information regarding how children’s data is used.
This lack of transparency, they argue, might lead to the unlawful processing of minors’ information. The GDPR, which sets a high standard for the protection of children’s data, mandates clear transparency and accountability from data controllers, requiring a lawful basis for any data processing activities.
Breaches of these regulations can result in fines amounting to up to 4% of global annual turnover, potentially scaling to billions of dollars for Microsoft.
noyb accuses Microsoft of attempting to sidestep its responsibilities as a data controller by transferring compliance burdens onto schools through contractual arrangements.
“Microsoft provides such vague information that even a qualified lawyer can’t fully understand how the company processes personal data in Microsoft 365 Education,” said Maartje de Graaf, a data protection lawyer at noyb.
She added, “Schools have no way of complying with the transparency and information obligations.” This approach, de Graaf argues, is impractical as schools lack the capacity to audit or instruct Microsoft on data processing.
The second complaint accuses Microsoft of clandestinely tracking children through the use of tracking cookies in its 365 Education software, without obtaining proper consent. noyb’s findings suggest these cookies analyze user behavior and collect browser data for advertising purposes.
“Such tracking, which is commonly used for highly invasive profiling, is apparently carried out without the complainant’s school even knowing,” noyb stated.
They argue that Microsoft lacks a valid legal basis for such tracking, further violating GDPR stipulations that require special care in processing minors’ data for marketing purposes.
Felix Mikolasch, another data protection lawyer at noyb, expressed grave concerns over Microsoft’s practices, stating, “Our analysis of the data flows is very worrying. Microsoft 365 Education appears to track users regardless of their age. This practice is likely to affect hundreds of thousands of pupils and students in the EU and EEA.”
noyb is calling on the Austrian Data Protection Authority (DPA) to thoroughly investigate these complaints and ascertain the extent of data processing by Microsoft 365 Education.
They also urge the imposition of penalties if GDPR violations are confirmed. Although Microsoft typically addresses GDPR complaints through its regional base in Ireland, a spokesperson for noyb emphasized the local relevance of these complaints to Austrian schools and students, suggesting the Austrian DPA’s competency to investigate independently.
Microsoft responded to the complaints by asserting its compliance with GDPR and commitment to protecting the privacy of its young users.
“M365 for Education complies with GDPR and other applicable privacy laws and we thoroughly protect the privacy of our young users.
We are happy to answer any questions data protection agencies might have about today’s announcement,” a Microsoft spokesperson said in an emailed statement.
The complaints against Microsoft 365 Education add to a series of GDPR challenges the company faces in the EU.
In March, the European Data Protection Supervisor found the EU’s use of Microsoft 365 in breach of GDPR, imposing corrective measures with a deadline for compliance. Additionally, a 2022 investigation by German data protection authorities concluded that there was no way to use the suite in full compliance with GDPR.
This case underscores the ongoing tension between tech giants and European data protection authorities over the handling of minors’ data. With precedents like the €405 million fine on Meta for Instagram’s minor protection failures and the €345 million penalty on TikTok for similar breaches, the outcome of this investigation could have significant implications for Microsoft and its operations within the EU.
As the investigation progresses, all eyes will be on the Austrian DPA to see whether they will take decisive action and set a precedent in enforcing children’s data protection laws against one of the world’s most influential technology companies.