The Datenschutzbehörde (DSB), Austria’s data protection authority (DPA), has ruled that Microsoft is illegally tracking students with Microsoft 365 Education and uses student data for its own purposes.
According to the privacy regulator, Microsoft violated GDPR privacy legislation by not providing the complainant, a minor represented by the privacy advocacy group noyb, full access to the data that the company processes from the complainant’s Microsoft 365 Education account.
Instead, the Redmond-based tech company referred the complainant to his school when he requested access to his data. However, the complainant's school could only provide partial information because it doesn’t have access to all the data that Microsoft collects.
The complainant filed a complaint with the DSB against the local school, the local board of education, the Department of Education, and Microsoft.
The Austrian privacy regulator found several GDPR violations. For starters, Microsoft used tracking cookies in its Microsoft 365 Education software without consent, which is illegal. Both the local school and the Department of Education claimed they were not aware of these tracking cookies before the complaint. The DSB has ordered that Microsoft remove all relevant personal data.
Secondly, Microsoft violated Europe’s privacy laws by not providing full access to the complainant’s data. This is contrary to GDPR Article 15, which dictates the right of access by data subjects. Microsoft must now grant access and explain in clear terms for what business purposes the company uses this data.
“The decision by the Austrian DPA really highlights the lack of transparency with Microsoft 365 Education. It is almost impossible for schools to inform students, parents, and teachers about what is happening with their data,” Felix Mikolasch, data protection lawyer at noyb, said in a statement.
Although the rulings in this case only concern the specific complainant, noyb believes they also have implications for other commercial users.
“We have big tech providers trying to get all the power, but shifting all responsibilities to European commercial customers. If Microsoft does not fundamentally change the setup of its products, European commercial customers will not be able to comply with their obligations,” says noyb Chairman Max Schrems.
Unlock more exclusive Cybernews content on YouTube.
Your email address will not be published. Required fields are markedmarked