Austria's data protection authority ruled that Microsoft violated the European Union's General Data Protection Regulation by unlawfully tracking students through its Microsoft 365 Education software, according to The Record, a news site by cybersecurity firm Recorded Future.
The decision stemmed from a 2024 complaint filed by the Austrian privacy advocacy group noyb on behalf of a parent who said his childs data was processed without consent and that Microsoft failed to disclose how the information was used. The regulator found that the company used tracking cookies and withheld access to user data, breaching EU privacy rules. Microsoft 365 Education is widely used in schools for cloud storage, communication, and productivity applications. Felix Mikolasch, a data protection lawyer at noyb, said the case reveals a "lack of transparency" in Microsoft's practices, making it "nearly impossible" for schools to inform users how data is handled. Microsoft said it will review the ruling, maintaining that its education products comply with GDPR standards.
The decision stemmed from a 2024 complaint filed by the Austrian privacy advocacy group noyb on behalf of a parent who said his childs data was processed without consent and that Microsoft failed to disclose how the information was used. The regulator found that the company used tracking cookies and withheld access to user data, breaching EU privacy rules. Microsoft 365 Education is widely used in schools for cloud storage, communication, and productivity applications. Felix Mikolasch, a data protection lawyer at noyb, said the case reveals a "lack of transparency" in Microsoft's practices, making it "nearly impossible" for schools to inform users how data is handled. Microsoft said it will review the ruling, maintaining that its education products comply with GDPR standards.
