Microsoft accused of "illegally" tracking students through 365 Education: What the ruling means for data privacy

Microsoft is facing a major privacy issue in Europe after Austria’s Data Protection Authority ruled that the company "illegally" tracked students on its 365 Education platform. The decision follows a complaint filed by the Austrian privacy advocacy group, noyb. The group argued that Microsoft had failed to provide students access to their personal data and shifted GDPR responsibilities onto schools.

According to noyb, the issue dates back to the COVID-19 pandemic, when schools switched to Microsoft 365 for remote learning. Along with this new study platform came a new privacy risk as student data passed through a corporate cloud service.

When a student makes a complaint and requests access to their data, Microsoft would refer them to their local school. This arrangement was challenging as the school could only offer limited information.

The regulator ruled that this approach violated Article 15 of the GDPR, stating that Microsoft, as the data controller, must provide full details of how user data is processed and whether it is shared with third parties.

The Austrian authority also directed Microsoft to clarify technical terms like "internal reporting", "business modelling," and "improvement of core functionality". Meanwhile, the national and federal education authorities involved were ordered to provide similar transparency within ten weeks.

Microsoft maintained its compliance, saying, "Microsoft 365 for Education meets all required data protection standards," and noted it would review the ruling. However, data protection lawyer Max Schrems of noyb argued that the case highlights a broader issue. “Big Tech providers try to get all the power, but shift all responsibilities to European customers,” said Schrems.

The enterprise software leader had also argued that its Ireland subsidiary was responsible for 365 Education and that jurisdiction fell there. However, the Austrian authority rejected this, stating that Microsoft US made the key decisions.

The case highlights a growing global concern on how big technology companies handle data collected from minors in educational settings, especially post-pandemic when more students depend on tools such as Microsoft 365 and Google Classroom for remote learning. If upheld, this ruling could reshape how technology firms handle data responsibilities across Europe’s education sector.