HomeWinBuzzer NewsAustrian NOYB Group Accuses Microsoft of GDPR Breaches in Education

Austrian NOYB Group Accuses Microsoft of GDPR Breaches in Education

NOYB says that Microsoft 365 Education takes data from users and pushes responsibilities onto schools, violating GDPR rules.


The Austrian advocacy group NOYB has filed official grievances with Austria's data protection agency, contending that neglects its obligations under EU regulations and misuses tracking cookies within its Microsoft 365 Education package.

NOYB attorney Maartje de Graaf criticizes Microsoft's practice of placing the compliance burden on educational institutions. She points out that expecting schools to monitor Microsoft's practices or instruct them on data is unrealistic, effectively absolving Microsoft of its duty to safeguard student data.

Concerns Over Student Tracking

Felix Mikolasch, another attorney from NOYB, brings attention to the widespread use of tracking cookies in the platform, monitoring users regardless of age. This practice, according to NOYB, affects thousands of students across the EU and EEA, often without their informed consent.

NOYB underscores that Microsoft's documentation reveals the usage of cookies to track user behavior and gather browser data, which is reportedly utilized for advertising purposes. The group argues that this tracking happens without the necessary consent, pushing for a detailed investigation by the Austrian data protection authority to uncover the full extent of Microsoft's data collection practices. Despite extensive research and requests for information, NOYB claims to have found Microsoft's disclosures insufficient and non-compliant with GDPR transparency rules.

Rights to Data Overshadowed

Post-pandemic, EU schools have increased reliance on digital learning tools. However, as major tech companies like Microsoft dominate the market, they often track students' data under the guise of providing services, thereby compromising children's data privacy. When students attempted to assert their GDPR rights, Microsoft redirected responsibility to the schools, which lack the authority to manage these systems effectively.

Companies like Microsoft leverage their market position to impose contract terms that educational institutions must accept without negotiation. Local authorities or schools end up having minimal influence over the processing of , facing a scenario where Microsoft holds significant decision-making power and benefits, while educational institutions assume most risks.

Understanding which privacy guidelines apply to Microsoft 365 Education proves challenging due to a myriad of overlapping policies and obscure terms. This lack of clarity creates a labyrinthine path for users and schools, who struggle to pinpoint how student data is handled under these services.

Advocating for Student Privacy Rights

NOYB has urged Austria's data protection authority to conduct a thorough investigation into Microsoft's data processing activities within its Education suite. The organization's findings indicate that the current practices breach GDPR transparency and access rights, affecting numerous children throughout the EU and EEA. NOYB also calls for possible punitive measures against Microsoft to address these violations.

Last month, NOYB also accused OpenAI of violating GDPR laws. The complaint highlights a potential conflict between the General Data Protection Regulation (GDPR) and the capabilities of large language models (LLMs) like . The core of the issue lies in the inability of the LLM to correct demonstrably inaccurate personal data. This incident came to light when a public figure discovered an error in their date of birth generated by ChatGPT. reportedly acknowledged the mistake but cited technical limitations as hindering the correction process.

Luke Jones
Luke Jones
Luke has been writing about all things tech for more than five years. He is following Microsoft closely to bring you the latest news about Windows, Office, Azure, Skype, HoloLens and all the rest of their products.