The European Union has launched an investigation into Microsoft 365 Education following potential violations of confidentiality. NOYB, a non-profit human rights organization, has lodged two complaints with the Austrian data protection body.
The first probe is focusing on transparency issues and the legality of data usage. NOYB has voiced concerns that minors’ data may be processed unlawfully. In a press release, the organization pointed out that the information provided by Microsoft on how children’s data is used is “ambiguous”.
Under the General Data Protection Regulation (GDPR), there must be a high standard of protection for children’s data, along with transparency and accountability in its processing. Legitimate grounds for such processing are also required. Breaches could potentially result in fines of up to 4% of the company’s global annual revenue, amounting to significant financial penalties for Microsoft.
NOYB has accused Microsoft of trying to evade its legal responsibilities as a controller of children’s data by passing the buck to schools through contracts. NOYB argues that schools are unable to meet EU requirements on transparency and data access rights, as they are unaware of exactly how Microsoft handles children’s data.
Microsoft offers the Microsoft 365 Education Cloud Package for free to qualifying schools. NOYB alleges that the information provided is so convoluted that even a well-versed lawyer would struggle to comprehend how the company processes personal data.
NOYB stated, “The ‘take it or leave it’ approach used by software providers such as Microsoft shifts all GDPR compliance responsibilities to schools. Microsoft possesses crucial information on data processing, yet burdens schools with ensuring compliance.”.
NOYB’s second claim asserts that Microsoft covertly monitors children. According to the organization, Microsoft 365 Education employs tracking cookies without obtaining consent. These cookies gather user behavior data in browsers and are also utilized for advertising purposes.
NOYB contends that such tracking methods are carried out without schools’ knowledge or a legal basis, contravening GDPR standards on utilizing children’s data for marketing. Furthermore, NOYB asserts that Microsoft 365 Education monitors users regardless of age, potentially impacting hundreds of thousands of students across the EU and EEA.
NOYB has called on the Austrian Data Protection Authority to investigate the complaints and ascertain the nature of data processing in Microsoft 365 Education. The organization is also advocating for fines to be imposed if GDPR violations are confirmed.
A Microsoft spokesperson has affirmed that Microsoft