Austrian DPA Finds Microsoft’s Tracking of Students Breaches GDPR
The Austrian data protection authority (DSB) has decided that Microsoft illegally installed tracking cookies on the devices of a school pupil without obtaining proper consent. This decision followed a complaint filed by the Austria-based campaign group None of Your Business (noyb). The cookies were placed on devices using Microsoft 365 Education and were found to collect browser data, analyze user behavior, and serve advertising purposes, which violates GDPR rules concerning minors.
Microsoft has been ordered to stop tracking the minor within four weeks. Both the school and the Austrian Ministry of Education stated they were unaware of the tracking cookies before noyb’s complaint. Microsoft’s privacy documentation and access requests did not clearly explain the nature of data processing related to children using Microsoft 365 Education, raising concerns about transparency and data protection compliance.
The case began during the COVID-19 pandemic when schools rapidly adopted online learning platforms such as Microsoft 365 Education and Google Workspace for Education. The Austrian data protection authority previously found that Microsoft had unlawfully tracked students and tried to shift responsibility for data access requests to schools. The authority demanded Microsoft provide detailed information on the data transmitted and clarify terms like “internal reporting” and “business modeling.”
Microsoft responded by stating that Microsoft 365 for Education complies with all required data protection standards and that educational institutions can continue using the platform in compliance with GDPR. The company is currently reviewing the authority’s latest decision and will determine its next steps accordingly.
