Microsoft’s education-focused cloud productivity suite, Microsoft 365 Education, is under investigation in the European Union, where the nonprofit noyb just filed two complaints with the Austrian data protection authority.
The complaints target schools’ use of Microsoft’s cloud software. The first focuses on issues of transparency and legal basis. noyb says it is concerned about the illegal processing of minors’ data – and its press release calls out what it calls “consistently vague” information provided by the tech giant about how children’s information is used.
The bloc’s General Data Protection Regulation (GDPR) sets high expectations for children’s data protection, emphasizing that transparency and accountability must be the cornerstones of handling information about minors. A legal basis is also required. Confirmed violations of the regime can result in fines of up to 4% of global annual revenue, which could reach billions of dollars in Microsoft’s case.
The privacy group’s complaint accuses Microsoft of trying to avoid its legal responsibilities as a data controller over children’s information by using contracts it requires schools to sign to access its software to try to make them assume compliance. noyb says schools are unable to comply with European law’s transparency requirements or data access rights because they cannot know what Microsoft is doing with children’s data.
Pricing for Microsoft 365 Education varies, but the software package may be offered for free to schools that meet certain eligibility criteria.
“Microsoft provides information so vague that even a trained attorney cannot fully understand how the company processes personal data in Microsoft 365 Education. It is almost impossible for children or their parents to discover the extent of data collection by Microsoft,” said Maartje de Graaf, data protection lawyer at noyb, in a statement.
“This take-it-or-leave-it approach from software companies like Microsoft shifts all GDPR responsibilities onto schools. Microsoft holds all the key information about data processing in its software, but points the finger at schools when it comes to exercising its rights. Schools have no way of meeting transparency and information obligations,” she added.
“Under the current system that Microsoft imposes on schools, your school would have to audit Microsoft or instruct it on how to handle student data. Everyone knows that such contractual arrangements are disconnected from reality. This is just an attempt to keep responsibility for children’s data as far away from Microsoft as possible.”
A second complaint filed by noyb on Tuesday also accuses Microsoft of secretly tracking children, as it claims it discovered that tracking cookies were installed by Microsoft 365 Education even though the plaintiff did not consent to the tracking. According to Microsoft documentation, these cookies analyze user behavior, collect browsing data and are used for advertising purposes, he adds.
“This type of tracking, which is commonly used for highly invasive profiling, is apparently conducted without the knowledge of the plaintiff’s school,” Noyb wrote. “As Microsoft 365 Education is widely used, the company is likely to track all minors using its education products. The company has no valid legal basis for this processing.
Once again, the GDPR sets a high bar for the lawful use of children’s data for marketing purposes – requiring data controllers to take special care to protect minors’ information and ensure that any use of information of minors is fair, lawful and clearly communicated.
noyb says Microsoft’s contracts, terms and conditions, and data feeds don’t meet that bar.
“Our analysis of data flows is very worrying,” Felix Mikolasch, another data protection lawyer at noyb, said in a statement.. “Microsoft 365 Education appears to follow users regardless of age. This practice is likely to affect hundreds of thousands of pupils and students across the EU and EEA (European Economic Area). The authorities should finally intensify their efforts and effectively enforce the rights of minors.”
noyb asks the Austrian DPA to investigate the complaints and determine what data is processed by Microsoft 365 Education. It also urges the authority to impose a fine if it confirms a GDPR violation.
Microsoft was contacted for comment on Noyb’s complaint, but had not responded at the time of publication.
Although the tech giant has a regional base in Ireland, which generally means cross-border GDPR-related complaints would eventually be referred to the Irish Data Protection Commission for review, a noyb spokesperson highlighted the nature “locally relevant” from both Microsoft. 365 Education Complaints — saying they believe the Austrian DPA is competent to investigate.
“The complaints could actually stay in Austria,” the spokesperson told TechCrunch. “The case is very locally relevant because it concerns Austrian schools and Austrian students. So we hope that (the Austrian ODA) will take matters into their own hands. We also filed complaints against the American entity of Microsoft rather than the European branch.
This is important because it could lead to faster decision-making – and possibly enforcement – regarding complaints against Microsoft.
GDPR-related complaints focused on children’s data have led to some of the heaviest sanctions to date, such as Ireland’s €405 million fine against Meta in autumn 2022 for Minor protection failures related to Instagram. Last year, video-sharing social network TikTok was also found to be in violation of legal requirements to protect children’s data and was fined €345 million.
Microsoft’s cloud productivity suite, meanwhile, remains subject to a broader legal cloud within the EU. Last March, the bloc’s use of 365 was deemed in violation of GDPR by the European Data Protection Supervisor, which imposed corrective measures, giving European institutions until early December to resolve compliance issues identified.
A lengthy investigation into Microsoft 365 by German data protection authorities also identified a series of problems in autumn 2022 – with the task force concluding at the time that there was no way to use the software suite in a GDPR compliant manner.
techcrunch
