Austria finds Microsoft illegally tracked students
Austria’s data protection authority has concluded that Microsoft 365 Education tracked students without lawful grounds, according to privacy group Noyb. The authority found that the software installed cookies that collected browser data and were used for advertising purposes, a practice that likely affected millions of students and teachers across Europe. Noyb’s complaint, filed in 2024 on behalf of a minor represented by her father, argued that the tracking violated the EU’s General Data Protection Regulation (GDPR) and children’s data protection rights.
The regulator ordered Microsoft to provide affected users access to their personal data. Noyb said Microsoft had not responded to user requests for access and had attempted to shift responsibility to local schools and national institutions. The decision highlights gaps in transparency around Microsoft 365 Education’s data processing, making it difficult for schools to inform students, parents and teachers about how data are handled and for what purposes.
Microsoft stated it will review the authority’s decision and determine next steps. The company maintained that Microsoft 365 for Education meets required data protection standards and that educational institutions can continue using the service in compliance with the GDPR. The Austrian authority confirmed issuing a decision but released no further public details.
Noyb, founded by privacy activist Max Schrems, has brought numerous GDPR complaints against major technology companies and has filed over 800 complaints across multiple jurisdictions. The decision in Austria may prompt further scrutiny of education technology providers across the EU and could influence enforcement and transparency expectations around processing children’s data.
