The Austrian Data Protection Authority ("DSB") issued a decision finding that Microsoft 365 Education illegally tracks students and uses student data for Microsoft's own purposes. The software giant also did not answer an access request related to Microsoft 365 Education, which is widely used in European schools. Instead, Microsoft tried to shift all responsibility to local schools. While the relevant schools also have to provide more detailed access data and additional privacy information according to the decision, it is now for Microsoft to finally answer how it uses user data for their own business purposes.
Three-way Responsibility Shifting. During the COVID pandemic many schools quickly shifted to the "cloud" and Big Tech was quick to provide "educational" products. However, Microsoft shifted all responsibility to comply with privacy laws onto schools and national authorities - that have little to no actual control over the use of student data. Local schools are usually not powerful enough to push back against Microsoft - leading to a "take it leave it" situation. When faced with an student's access request to personal data processed by Microsoft 365 Education, this led to massive finger pointing: Microsoft simply referred the complainant to its local school. However, the school of the complainant could only provide minimal information - as it does not have any way to access information that rests with Microsoft. No one felt able to comply with GDPR rights. The complainant, represented by noyb, consequently lodged a complaint against all possible players (the local school, the local board of education, the Ministry of Education and Microsoft US) with the Austrian DSB.
Felix Mikolasch, data protection lawyer at noyb: “Microsoft tried to shift almost all responsibilities for Microsoft 365 Education to schools or other national institutions. The Austrian DPA now decided that this does not fly. We welcome this decision.”
Unlawful tracking of kids and no access. The Austrian DSB found several GDPR violations. First, it found Microsoft 365 Education used tracking cookies without consent, which was found to be illegal. Both the school and the Austrian Ministry of Education claimed during the procedure they were not aware of such tracking cookies before the complaint. The DSB now ordered the deletion of the relevant personal data. Second, Microsoft violated the right to access under Article 15 GDPR by not providing full access to the data of the complainant. Microsoft will now have to provide such access. Microsoft will also have to explain in clear terms what it means that it uses data for its business purposes such as “business modeling” or “energy efficiency” and if it sent personal data to LinkedIn, OpenAI or the tracking company Xandr.
Felix Mikolasch, data protection lawyer at noyb: “Microsoft usually argues that its educational products are privacy friendly. This procedure showed that this is not really the case.”
Microsoft leaves schools and authorities in the dark. The decisions also holds that the complainant’s school and the Austrian Ministry of Education should provide further information, in particular which information of students was transmitted to Microsoft. However, the Austrian DSB also stressed that Microsoft did not provide the Ministry of Education with full information regarding the data processing in Microsoft 365 Education, which makes it basically impossible for local schools to comply with their obligations under Article 13 and 14 GDPR.
Felix Mikolasch, data protection lawyer at noyb: “The decision by the Austrian DPA really highlights the lack of transparency with Microsoft 365 Education. It is almost impossible for schools to inform students, parents and teachers about what is happening with their data.”
Microsoft Ireland bypassed. Microsoft also tried to argue that in fact their EU subsidiary in Ireland is in charge of Microsoft 365 products in Europe. The DSB rejected that argument and held that in fact Microsoft US is making the relevant decisions. Minor decisions in Ireland to adjust a product for the EU do not shift responsibility (and hence the jurisdiction for the case) to Ireland. US big tech companies regularly argue they fall under Irish jurisdiction, because the Irish Data Protection Commission is known to hardly enforce EU law.
Likely far-reaching consequences for Microsoft 365. Microsoft 365 Education is used by millions of students and teachers across Europe. Millions of other people use the standard "Microsoft 365" at companies and authorities in Europe. Properly informing employees, students and other users about how their data is used is mandatory by law - but often factually impossible for commercial customers. If Microsoft does not provide clear information and more powers to its commercial customers, using Microsoft 365 is hardly compliant with EU law. The German data protection authorities have already considered Microsoft 365 to fall short of the requirements of the GDPR.
Max Schrems, data protection lawyer at noyb: “We have 'big tech' providers trying to get all the power, but shifting all responsibilities to European commercial customers. If Microsoft does not fundamentally change the setup of their products, European commercial customers will not be able to comply with their obligations."
