Microsoft accused of tracking kids with education software
Privacy group seeks clarification of whether EU data protection law has been breached
Updated A privacy campaign group with a strong record in legal upheavals has asked the Austrian data protection authority to investigate Microsoft 365 Education to clarify if it breaches transparency provisions under GDPR.
Noyb said Microsoft pushed data protection obligations onto schools that use the system, and failed to comply with subjects' right to access data about them. Neither Microsoft's privacy documentation, requests for access, nor noyb's research could fully clarify what data about children is being processed by Microsoft 365 Education.
Max Schrems, noyb's honorary chairman, was behind a series of court cases that brought an end to a transatlantic data-sharing agreement, now replaced by the EU-US Data Bridge arrangement.
In its new complaint, noyb said Microsoft was trying to avoid responsibility under GDPR by insisting that almost all of the data protection responsibilities lie with local authorities or schools.
"In reality, neither has the power to influence how Microsoft actually processes user data. Instead, they are faced with a take-it-or-leave-it situation where all the decision-making power and profits lie with Microsoft, while schools are expected to bear most of the risks. Schools have no realistic way of negotiating or changing the terms," noyb said in a statement.
- OpenAI slapped with GDPR complaint: How do you correct your work?
- EU tells Meta it can't paywall privacy
- Meta's pay-or-consent model hides 'massive illegal data processing ops': lawsuit
- Meta accused of enrolling undecided EU users in ad-sponsored platform
Maartje de Graaf, data protection lawyer at noyb, said: "Under the current system that Microsoft is imposing on schools, your school would have to audit Microsoft or give them instructions on how to process pupils' data. Everyone knows that such contractual arrangements are out of touch with reality. This is nothing more but an attempt to shift the responsibility for children's data as far away from Microsoft as possible."
The Register has asked Microsoft if it wants to provide a response to the complaint.
In a second complaint, noyb said Microsoft 365 Education still installs cookies without consent and uses them to analyze user behavior, collect browser data and prepare advertising. The company has no valid legal basis for this processing, the campaign group said.
Felix Mikolasch, data protection lawyer at noyb, said: "Our analysis of the data flows is very worrying. Microsoft 365 Education appears to track users regardless of their age. This practice is likely to affect hundreds of thousands of pupils and students in the EU and EEA. Authorities should finally step up and effectively enforce the rights of minors."
Noyb has asked the DSB (Austrian data protection authority) to determine the personal data about children that Microsoft 365 Education is processing. If the authority finds a breach of GDPR, the authority should impose a fine, the complainant said. ®
Updated at 0751 UTC on June 5, 2024, to add
A spokesperson at Microsoft sent us a statement post publication: “M365 for Education complies with GDPR and other applicable privacy laws and we thoroughly protect the privacy of our young users. We are happy to answer any questions data protection agencies might have about this announcement.”