Microsoft 'illegally' tracked students via 365 Education, says data watchdog
(2025/10/13)
- Reference: 1760362683
- News link: https://www.theregister.co.uk/2025/10/13/microsoft_365_education_gdpr/
- Source link:
An Austrian digital privacy group has claimed victory over Microsoft after the country's data protection regulator ruled the software giant "illegally" tracked students via its 365 Education platform and used their data.
noyb [1]said the [2]ruling [PDF] by the Austrian Data Protection Authority also confirmed that Microsoft had tried to shift responsibility for access requests to local schools, and the software and cloud giant would have to explain how it used user data.
The ruling could have far-reaching effects for Microsoft and its obligations to inform Microsoft 365 users across Europe about what it is doing with their data, noyb argues.
[3]
The complaint dates back to the COVID-19 pandemic, when schools rapidly shifted to online learning, using the likes of 365 Education.
[4]
[5]
The privacy group said: "Microsoft shifted all responsibility to comply with privacy laws onto schools and national authorities – that have little to no actual control over the use of student data."
When the complainant filed an access request to see what information was being processed, "this led to massive finger pointing: Microsoft simply referred the complainant to its local school."
[6]
But the school and education authorities could only provide minimal information. The school, for example, could not access information that rested with Microsoft. "No one felt able to comply with GDPR rights."
This prompted a complaint against the school, national and local education authorities, and Microsoft.
The ruling, machine translated, said: "It is determined that Microsoft, as a controller, violated the complainant's right of access (Art. 15 GDPR) by failing to provide complete information about the data processed when using Microsoft Education 365."
[7]
Microsoft was ordered to provide complete information about the data transmitted, and to provide clear explanations of terms such as "internal reporting," "business modelling" and "improvement of core functionality." It must also disclose if information was transferred to third parties.
The data protection authority ruled the school in question and federal education authorities had also failed to provide information to the complainant and must provide information on data processing within ten weeks.
The complaint against the provincial education authority was dismissed.
[8]Microsoft lets bosses spot teams that are dodging Copilot
[9]Privacy warriors whip out GDPR after ChatGPT wrongly accuses dad of child murder
[10]Meta training AI on social media posts? Only 7% in Europe think it's OK
[11]Giving Windows total recall of everything a user does is a privacy minefield
Microsoft also argued that its Ireland subsidiary was in charge of 365, and therefore jurisdiction fell to Ireland. The authority rejected that argument, and decided it was Microsoft US that made the decisions, according to noyb.
A spokesman for Microsoft told us: "Microsoft 365 for Education meets all required data protection standards and institutions in the education sector can continue to use it in compliance with GDPR. We will review the Austrian data protection authority's decision and decide on next steps in due course."
Max Schrems, data protection lawyer at noyb, said in a statement: "We have 'big tech' providers trying to get all the power, but shifting all responsibilities to European commercial customers. If Microsoft does not fundamentally change the setup of their products, European commercial customers will not be able to comply with their obligations." ®
Get our [12]Tech Resources
[1] https://noyb.eu/en/noyb-win-microsoft-365-education-tracks-school-children
[2] https://noyb.eu/sites/default/files/2025-10/Microsoft_Education_365_Bescheid_bk.pdf
[3] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_offprem/saas&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=2&c=2aO0iFF9dI9tTcaz8QVpRhQAAAMc&t=ct%3Dns%26unitnum%3D2%26raptor%3Dcondor%26pos%3Dtop%26test%3D0
[4] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_offprem/saas&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=4&c=44aO0iFF9dI9tTcaz8QVpRhQAAAMc&t=ct%3Dns%26unitnum%3D4%26raptor%3Dfalcon%26pos%3Dmid%26test%3D0
[5] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_offprem/saas&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=3&c=33aO0iFF9dI9tTcaz8QVpRhQAAAMc&t=ct%3Dns%26unitnum%3D3%26raptor%3Deagle%26pos%3Dmid%26test%3D0
[6] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_offprem/saas&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=4&c=44aO0iFF9dI9tTcaz8QVpRhQAAAMc&t=ct%3Dns%26unitnum%3D4%26raptor%3Dfalcon%26pos%3Dmid%26test%3D0
[7] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_offprem/saas&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=3&c=33aO0iFF9dI9tTcaz8QVpRhQAAAMc&t=ct%3Dns%26unitnum%3D3%26raptor%3Deagle%26pos%3Dmid%26test%3D0
[8] https://www.theregister.com/2025/10/10/microsoft_copilot_viva_insights/
[9] https://www.theregister.com/2025/03/20/chatgpt_accuses_man_of_murdering/
[10] https://www.theregister.com/2025/08/07/meta_training_ai_on_social/
[11] https://www.theregister.com/2024/05/22/windows_recall/
[12] https://whitepapers.theregister.com/
noyb [1]said the [2]ruling [PDF] by the Austrian Data Protection Authority also confirmed that Microsoft had tried to shift responsibility for access requests to local schools, and the software and cloud giant would have to explain how it used user data.
The ruling could have far-reaching effects for Microsoft and its obligations to inform Microsoft 365 users across Europe about what it is doing with their data, noyb argues.
[3]
The complaint dates back to the COVID-19 pandemic, when schools rapidly shifted to online learning, using the likes of 365 Education.
[4]
[5]
The privacy group said: "Microsoft shifted all responsibility to comply with privacy laws onto schools and national authorities – that have little to no actual control over the use of student data."
When the complainant filed an access request to see what information was being processed, "this led to massive finger pointing: Microsoft simply referred the complainant to its local school."
[6]
But the school and education authorities could only provide minimal information. The school, for example, could not access information that rested with Microsoft. "No one felt able to comply with GDPR rights."
This prompted a complaint against the school, national and local education authorities, and Microsoft.
The ruling, machine translated, said: "It is determined that Microsoft, as a controller, violated the complainant's right of access (Art. 15 GDPR) by failing to provide complete information about the data processed when using Microsoft Education 365."
[7]
Microsoft was ordered to provide complete information about the data transmitted, and to provide clear explanations of terms such as "internal reporting," "business modelling" and "improvement of core functionality." It must also disclose if information was transferred to third parties.
The data protection authority ruled the school in question and federal education authorities had also failed to provide information to the complainant and must provide information on data processing within ten weeks.
The complaint against the provincial education authority was dismissed.
[8]Microsoft lets bosses spot teams that are dodging Copilot
[9]Privacy warriors whip out GDPR after ChatGPT wrongly accuses dad of child murder
[10]Meta training AI on social media posts? Only 7% in Europe think it's OK
[11]Giving Windows total recall of everything a user does is a privacy minefield
Microsoft also argued that its Ireland subsidiary was in charge of 365, and therefore jurisdiction fell to Ireland. The authority rejected that argument, and decided it was Microsoft US that made the decisions, according to noyb.
A spokesman for Microsoft told us: "Microsoft 365 for Education meets all required data protection standards and institutions in the education sector can continue to use it in compliance with GDPR. We will review the Austrian data protection authority's decision and decide on next steps in due course."
Max Schrems, data protection lawyer at noyb, said in a statement: "We have 'big tech' providers trying to get all the power, but shifting all responsibilities to European commercial customers. If Microsoft does not fundamentally change the setup of their products, European commercial customers will not be able to comply with their obligations." ®
Get our [12]Tech Resources
[1] https://noyb.eu/en/noyb-win-microsoft-365-education-tracks-school-children
[2] https://noyb.eu/sites/default/files/2025-10/Microsoft_Education_365_Bescheid_bk.pdf
[3] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_offprem/saas&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=2&c=2aO0iFF9dI9tTcaz8QVpRhQAAAMc&t=ct%3Dns%26unitnum%3D2%26raptor%3Dcondor%26pos%3Dtop%26test%3D0
[4] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_offprem/saas&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=4&c=44aO0iFF9dI9tTcaz8QVpRhQAAAMc&t=ct%3Dns%26unitnum%3D4%26raptor%3Dfalcon%26pos%3Dmid%26test%3D0
[5] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_offprem/saas&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=3&c=33aO0iFF9dI9tTcaz8QVpRhQAAAMc&t=ct%3Dns%26unitnum%3D3%26raptor%3Deagle%26pos%3Dmid%26test%3D0
[6] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_offprem/saas&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=4&c=44aO0iFF9dI9tTcaz8QVpRhQAAAMc&t=ct%3Dns%26unitnum%3D4%26raptor%3Dfalcon%26pos%3Dmid%26test%3D0
[7] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_offprem/saas&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=3&c=33aO0iFF9dI9tTcaz8QVpRhQAAAMc&t=ct%3Dns%26unitnum%3D3%26raptor%3Deagle%26pos%3Dmid%26test%3D0
[8] https://www.theregister.com/2025/10/10/microsoft_copilot_viva_insights/
[9] https://www.theregister.com/2025/03/20/chatgpt_accuses_man_of_murdering/
[10] https://www.theregister.com/2025/08/07/meta_training_ai_on_social/
[11] https://www.theregister.com/2024/05/22/windows_recall/
[12] https://whitepapers.theregister.com/
Redmond argued schools, education authorities are responsible for GDPR
Aladdin Sane
That's not how this works.
Re: Redmond argued schools, education authorities are responsible for GDPR
Doctor Syntax
It's how it should work. If Microsoft makes it impossible then maybe they shouldn't be using Microsoft products.
Re: Redmond argued schools, education authorities are responsible for GDPR
Aladdin Sane
No, Microsoft shouldn't breach GDPR, nor should the authorities. M$ are trying to shirk their responsibilities here and deserve to be nailed for it.
Doctor Syntax
"Microsoft 365 for Education meets all required data protection standards and institutions in the education sector can continue to use it in compliance with GDPR. We will review the Austrian data protection authority's decision and decide on next steps in due course."
Translation: "We're right. Maybe we'll ge round to reading this bit of paper that says we're not and then work out how to ignore it becuase we're right."
When is El Reg
Anonymous Coward
going to add a Chitty Chitty Bang Bang Childcatcher icon?
"Microsoft 'illegally' tracked students via 365 Education, says data watchdog"
As Mr C of The Shamen said on the Ebeneezer Goode track, "Naughty, naughty, very naughty".
Seriously though, Microsoft is one of the worst offenders when it comes to data slurping and it ought now to step back from that in terms of less data collection and less detailed data collection and then it wouldn't fall foul of national data regulators.