Non-profit privacy rights organization noyb has filed two complaints against Microsoft with Austria’s data protection authority (DPA) regarding the company’s cloud-based school software suite, Microsoft 365 Education.
The complaints centre on concerns about transparency and the processing of children’s data on the Microsoft platform, potentially violating the European Union’s General Data Protection Regulation (GDPR).
The first complaint alleges a lack of transparency around data processing. noyb asserts that Microsoft’s contracts with schools attempt to shift responsibility for GDPR compliance onto them.
Schools, however, lack the capacity to monitor or enforce Microsoft’s data practices, creating a situation where children’s data may be processed in ways that don’t comply with GDPR.
noyb further criticizes Microsoft for providing “consistently vague” information regarding data collection practices within Microsoft 365 Education. This lack of transparency makes it difficult, if not impossible, for parents and children to understand how their data is being used.
The second complaint highlights the use of tracking cookies within Microsoft 365 Education software. These cookies reportedly collect user browsing data and analyze user behaviour, potentially for advertising purposes.
noyb says such tracking practices occur without the consent of users or the knowledge of the schools themselves, and there appears to be no legal justification for it under GDPR.
The GDPR mandates strong protections for children’s data, emphasizing transparency and accountability. Violations can result in significant fines, potentially reaching up to 4% of a company’s global annual turnover, which could translate to billions of dollars for Microsoft.
noyb has requested that the Austrian DPA investigate the complaints and determine the extent of data processing by Microsoft 365 Education. The company has also urged the authority to impose fines if GDPR violations are confirmed.
Microsoft has yet to respond to the complaints. While the company has a European headquarters in Ireland, noyb emphasizes the “locally relevant” nature of the complaints due to its focus on Austrian schools and children. This could lead to a faster investigation and potential enforcement action by the Austrian DPA.
The GDPR has resulted in hefty penalties for violations involving children’s data in the past, with major social media platforms like Meta and TikTok facing fines.
Microsoft’s cloud services have also faced investigation in Europe, with the European Data Protection Supervisor raising issues about the EU’s own use of Microsoft 365. These latest complaints add to the ongoing legal complexities surrounding Microsoft’s cloud products in the European Union.
Author
