Hundreds of thousands of European schoolchildren are likely being tracked by Microsoft education software widely deployed in schools across continent, according to a group which lodged a formal complaint on the issue before an Austrian regulator today (4 June).
NOYB has asked the watchdog to investigate what data is processed by Microsoft 365 Education – a product used widely in classrooms – as it claims that neither the company’s privacy documentation, requests for access, nor NOYB’s own research could fully clarify this, which violates transparency provisions of the General Data Protection Regulation (GDPR).
NOYB claims that software vendors like US tech giant Microsoft ignore GDPR rights by “dumping” legal responsibilities under the EU’s privacy rules on schools that provide the software for educational purposes.
“Microsoft holds all the key information about data processing in its software, but is pointing the finger at schools when it comes to exercising rights. Schools have no way of complying with the transparency and information obligations,” Maartje de Graaf, data protection lawyer at NOYB said.
Felix Mikolasch, another data protection lawyer at NOYB, claimed that the software also tracks users regardless of their age. “This practice is likely to affect hundreds of thousands of pupils and students in the EU and EEA. Authorities should finally step up and effectively enforce the rights of minors,” he said.
Adequacy decisions
It’s not the first time that Microsoft’s products have come under the attention of privacy regulators. In March, the European Commission was ordered to bring its use of Microsoft 365 office programs in line with privacy rules by the European Data Protection Supervisor (EDPS), which oversees data protection issues at EU institutions.
The EDPS said the Commission breached EU rules including those on transfers of personal data outside the EU or European Economic Area (EEA) because in its contract with Microsoft, the executive did not sufficiently specify what types of personal data are to be collected and for which purposes.
The GDPR imposes strict restrictions on personal data, prohibiting it from being shared with countries that don’t have an equivalent level of protection. The data transfer agreement between the EU and US was invalidated in 2015 by the Court of Justice of the European Union (CJEU) after Austrian privacy lawyer Max Schrems - who founded NOYB - challenged it, and the same happened to the replacement data transfer framework.
The US officially regained its “adequacy” status in July 2023, after the US government issued an executive order to limit EU data collection to “necessary and proportionate” levels.
Microsoft has been contacted for a comment.
