noyb has scored another win in its proceedings against Microsoft 365 Education: The Austrian data protection authority (DSB) has decided that the company illegally installed cookies on the devices of a pupil without consent. According to Microsoft’s own documentation, these cookies analyse user behaviour, collect browser data and are used for advertising. Microsoft now has four weeks to comply and cease the use of tracking cookies.
- Decision by the Austrian DSB (DE)
- PR for previous DSB decision against Microsoft
- Original complaints from 2024
Background. In June 2024, noyb had filed two complaints concerning Microsoft 365 Education in schools with the Austrian DSB. The first complaint was decided in October 2025. Back then, the DSB held that Microsoft violated the right of access under Article 15 GDPR. The second complaint, which has now been decided, concerned the use of unlawful tracking cookies in Microsoft 365 Education.
Second noyb win against Microsoft. In its most recent decision, the DSB has once again found that Microsoft acted unlawfully. To be specific, the company placed tracking cookies on the devices of a minor using Microsoft 365 Education. According to Microsoft’s own documentation, these cookies analyse user behaviour, collect browser data and are used for advertising. The DSB has additionally ordered Microsoft to cease tracking the complainant within four weeks. Both the school and the Austrian Ministry of Education claimed they were not aware of such tracking cookies prior to the noyb complaints.
Felix Mikolasch, data protection lawyer at noyb: “Tracking minors clearly isn’t privacy-friendly. It seems like Microsoft doesn’t care much about privacy, unless it is for their marketing and PR statements.”
Microsoft Ireland bypassed. During the proceedings, Microsoft also tried to argue that their EU subsidiary in Ireland is in charge of Microsoft 365 products in Europe. The DSB rejected that argument and held that, in fact, Microsoft US is making the relevant decisions. US big tech companies regularly argue that they fall under Irish jurisdiction, because the Irish Data Protection Commission is known to hardly enforce EU law.
Likely far-reaching consequences for Microsoft 365. Microsoft 365 Education is used by millions of students and teachers across Europe. Millions of other people use the standard "Microsoft 365" at companies and authorities in Europe. Tracking users without consent is not compliant with EU law, which is an issue for all organisations using Microsoft 365. The German data protection authorities have already considered Microsoft 365 to fall short of the requirements of the GDPR.
Max Schrems: “Companies and authorities in the EU should use compliant software. Microsoft has once again failed to comply with the law."
