Microsoft’s education-focused cloud productivity suite, Microsoft 365 Education, is currently under investigation by the European Union. The privacy rights nonprofit noyb has lodged two complaints with Austria’s data protection authority, scrutinizing the use of Microsoft’s cloud software by schools and alleging serious GDPR breaches.
Noyb’s first complaint focuses on issues of transparency and legal basis. The nonprofit argues that Microsoft is unlawfully processing minors’ data, criticizing the tech giant for providing “consistently vague” information about how children’s data is used. Under the General Data Protection Regulation (GDPR), there are stringent expectations for the protection of children’s data, emphasizing transparency and accountability whenever minors’ information is processed. A lawful basis for data processing is also required, and breaches can result in fines of up to 4% of global annual turnover, potentially amounting to billions of dollars for Microsoft.
Maartje de Graaf, a data protection lawyer at noyb, stated, “Microsoft provides such vague information that even a qualified lawyer can’t fully understand how the company processes personal data in Microsoft 365 Education. It is almost impossible for children or their parents to uncover the extent of Microsoft’s data collection.”
Key Points from the Complaint:
- Microsoft allegedly uses school contracts to shift GDPR compliance responsibilities to schools.
- Schools are reportedly unable to meet GDPR transparency requirements as they lack insight into Microsoft’s data processing practices.
- The complaint claims that Microsoft’s approach undermines schools’ ability to protect minors’ data.
Noyb accuses Microsoft of attempting to evade its responsibilities as a data controller by using contracts to transfer compliance burdens to schools. According to noyb, schools are not equipped to comply with EU law’s transparency requirements or data access rights since they lack knowledge of Microsoft’s data processing activities.
Felix Mikolasch, another data protection lawyer at noyb, remarked, “This take-it-or-leave-it approach by software vendors such as Microsoft is shifting all GDPR responsibilities to schools. Microsoft holds all the key information about data processing in its software but points the finger at schools when it comes to exercising rights. Schools have no way of complying with the transparency and information obligations.”
The following table summarizes the key allegations made by noyb:
| Allegation | Details |
|---|---|
| Lack of Transparency | Microsoft allegedly fails to provide clear information on data processing. |
| Legal Basis Concerns | Minors’ data may be processed unlawfully without proper legal justification. |
| Responsibility Shifting | Microsoft purportedly shifts GDPR compliance obligations to schools. |
A second complaint by noyb alleges that Microsoft is secretly tracking children. The privacy group claims that tracking cookies are installed by Microsoft 365 Education without the consent of the user. These cookies allegedly analyze user behavior, collect browser data, and are used for advertising, which noyb asserts is done without the school’s knowledge.
Noyb wrote, “Such tracking, which is commonly used for highly invasive profiling, is apparently carried out without the complainant’s school even knowing. As Microsoft 365 Education is widely used, the company is likely to track all minors using their educational products. The company has no valid legal basis for this processing.”
Key concerns highlighted by noyb include:
- Invasive Profiling: Alleged tracking without consent for profiling purposes.
- Lack of Awareness: Schools may be unaware of the tracking activities.
- GDPR Violations: Potential breaches of GDPR related to children’s data and marketing practices.
Noyb is urging the Austrian Data Protection Authority (DPA) to investigate these complaints and determine the extent of data processing by Microsoft 365 Education. The privacy group also advocates for imposing fines if GDPR violations are confirmed.
Noyb’s complaints against Microsoft have significant implications, as similar cases in the past have resulted in substantial fines. For instance, in 2022, Ireland imposed a €405 million fine on Meta for Instagram-related minor protection failures. Last year, TikTok received a €345 million fine for breaching legal requirements to protect children’s data.
Microsoft has responded to the complaints, stating, “M365 for Education complies with GDPR and other applicable privacy laws and we thoroughly protect the privacy of our young users. We are happy to answer any questions data protection agencies might have about today’s announcement.”
Microsoft’s cloud productivity suite is also under a broader legal cloud in the EU. In March, the EU’s own use of Microsoft 365 was found in breach of the GDPR by the European Data Protection Supervisor, which imposed corrective measures and gave EU institutions until early December to address compliance issues.
Additionally, a lengthy investigation by German data protection authorities in 2022 concluded that there was no way to use Microsoft 365 in a GDPR-compliant manner. This ongoing scrutiny highlights the significant challenges faced by Microsoft in ensuring its services comply with stringent EU data protection laws.
As the investigation progresses, the focus remains on whether the Austrian DPA will take up the case locally, given its relevance to Austrian schools and pupils. This decision could expedite the investigation and potential enforcement actions against Microsoft.
The outcome of this investigation could set a precedent for how educational software providers handle children’s data under the GDPR, underscoring the importance of transparency and accountability in data processing practices.
Related News:
Featured Image courtesy of DALL-E by ChatGPT