Microsoft violates children’s privacy – but blames your local school

Data Subject Rights
 /  04 June 2024

In the wake of the pandemic, schools in the European Union have increasingly begun to implement digital services for online learning. While these modernisation efforts are a welcome development, a small number of big tech companies immediately tried to dominate the space – often with the intention of getting children used to their systems and creating a new generation of future “loyal” customers. One of them is Microsoft, whose 365 Education services violate children’s data protection rights. When pupils wanted to exercise their GDPR rights, Microsoft said schools were the “controller” for their data. However, the schools have no control over the systems.

Two children handing in their GDPR rights to Microsoft at the entrance to a school.

Shifting responsibility between Big Tech and local schools. Software vendors like Microsoft have an enormous market power, allowing them to dictate the terms and conditions of contracts with anyone who wants to use their products. At the same time, these software providers try to dodge responsibility by insisting that almost all of it lies with local authorities or schools. In reality, neither has the power to influence how Microsoft actually processes user data. Instead, they are faced with a take-it-or-leave-it situation where all the decision-making power and profits lie with Microsoft, while schools are expected to bear most of the risks. Schools have no realistic way of negotiating or changing the terms.

GDPR rights are being ignored. In practice, this leads to a situation where Microsoft is trying to contractually dump most of its legal responsibilities under the GDPR on schools that provide Microsoft 365 Education services to their pupils or students. This means, for example, that access requests to Microsoft go unanswered - while schools have no realistic way of complying with such requests because they don’t hold the necessary data.

Maartje de Graaf, data protection lawyer at noyb: “This take-it-or-leave-it approach by software vendors such as Microsoft is shifting all GDPR responsibilities to schools. Microsoft holds all the key information about data processing in its software, but is pointing the finger at schools when it comes to exercising rights. Schools have no way of complying with the transparency and information obligations.”

Detached from reality. In Austria, where noyb has filed its two complaints, local principals are supposedly tasked with determining the “purposes and means” under Article 4(7) GDPR and to ensure compliance against international software providers such as Microsoft. This results in a compliance regime that is completely detached from the data processing reality.

Maartje de Graaf, data protection lawyer at noyb: “Under the current system that Microsoft is imposing on schools, your school would have to audit Microsoft or give them instructions on how to process pupils’ data. Everyone knows that such contractual arrangements are out of touch with reality. This is nothing more but an attempt to shift the responsibility for children's’ data as far away from Microsoft as possible.”

A maze of privacy documentation. Trying to find out exactly what privacy policies or documents apply to the use of Microsoft 365 Education is an expedition in itself. There is a serious lack of transparency, forcing users and schools to navigate a maze of privacy policies, documents, terms and contracts that all seem to apply. The information provided in these documents is always slightly different, but consistently vague about what actually happens to children’s data when they use Microsoft 365 Education services.

Maartje de Graaf, data protection lawyer at noyb: “Microsoft provides such vague information that even a qualified lawyer can’t fully understand how the company processes personal data in Microsoft 365 Education. It is almost impossible for children or their parents to uncover the extent of Microsoft’s data collection.”

Secretly tracking children. But this is not the only issue at hand. Although the complainant did not consent to tracking, Microsoft 365 Education still installed cookies that, according to Microsoft’s own documentation, analyse user behaviour, collect browser data and are used for advertising. Such tracking, which is commonly used for highly-invasive profiling, is apparently carried out without the complainant’s school even knowing. As Microsoft 365 Education is widely used, the company is likely to track all minors using their educational products. The company has no valid legal basis for this processing.

Felix Mikolasch, data protection lawyer at noyb: “Our analysis of the data flows is very worrying. Microsoft 365 Education appears to track users regardless of their age. This practice is likely to affect hundreds of thousands of pupils and students in the EU and EEA. Authorities should finally step up and effectively enforce the rights of minors.”

Countless children are affected. noyb asks the Austrian data protection authority (DSB) to investigate and factually analyse what data is being processed by Microsoft 365 Education. Neither Microsoft’s privacy documentation, requests for access, or noyb’s own research could fully clarify this, which violates the GDPR’s transparency provisions. In addition, the company failed to comply with the right of access. As the terms and conditions and the privacy documentation of Microsoft 365 Education are uniform for the EU/EEA, all children living in these countries are exposed to the same violations of their GDPR rights. Therefore, noyb also suggests that the authority should impose a fine on Microsoft.