In the European Union, Microsoft 365 Education—a version of its cloud-based office suite designed for the educational sector—is currently under scrutiny. A privacy rights organization, noyb, has filed two complaints with the Austrian data protection authority regarding potential privacy infringements.
These complaints cast light on the adoption of Microsoft’s cloud-based services in educational settings, questioning the legality and transparency of processing students’ data. noyb expresses alarm over the illegal handling of minors’ personal data and condemns Microsoft for providing what it calls “consistently vague” explanations about the usage of such data.
Under the EU’s General Data Protection Regulation (GDPR), the expectation for protecting children’s data is notably stringent. Keys to lawful data processing include transparency and accountability, especially when it concerns minors. Violations of these rules can lead to severe penalties, potentially amounting to billions for entities with the global reach of Microsoft.
According to the complaints by the privacy advocacy group, Microsoft is trying to sidestep its duties regarding children’s data by making educational institutions responsible for compliance through the contractual obligations for using its software. However, noyb points out that schools lack the requisite insights into Microsoft’s data processing practices to fulfill these obligations.
Though offered at different price points, Microsoft 365 Education is available for free to qualifying schools, further complicating the accountability landscape.
“The information Microsoft provides is so ambiguous that not even a seasoned attorney can grasp the complete picture of how it processes personal data within Microsoft 365 Education. This opacity makes it virtually impossible for students or their guardians to understand the scope of data collection by the company,” declared Maartje de Graaf, a data protection lawyer with noyb.
She further criticizes the approach by Microsoft and similar vendors for placing the onus of GDPR compliance squarely on the shoulders of educational institutions, which lack the vital information for fulfilling data processing transparency and rights obligations.
“In the prevailing scenario dictated by Microsoft, a school would need to conduct an audit of Microsoft or direct how to handle student data. The reality is such contractual conditions are far from feasible, essentially transferring the responsibility of managing children’s’ data as far from Microsoft as feasible,” elaborated de Graaf.
A secondary grievance filed by noyb also accuses Microsoft of clandestinely monitoring children via tracking cookies in Microsoft 365 Education, despite no consent being given. According to noyb, such cookies, which gather user data and behavior for advertising purposes, indicate a significant breach of privacy without legal justification.
Again, GDPR mandates stringent consent and protection measures for using children’s data, particularly for marketing. However, noyb argues that Microsoft’s agreements and data handling practices fall short of these standards.
Felix Mikolasch, another data protection expert at noyb, expressed grave concerns regarding their findings, highlighting the risk to potentially hundreds of thousands of young users across the EU and EEA. “It’s urgent for authorities to take action to safeguard the rights of minors,” stated Mikolasch.
Noyb is urging the Austrian DPA to thoroughly investigate and possibly impose fines if GDPR infringements are confirmed.
In response to these allegations, a Microsoft spokesperson assured that M365 for Education adheres to GDPR and other privacy laws, affirming the company’s commitment to protecting young users’ privacy and openness to regulatory queries.
Despite the company’s usual GDPR issues being managed by the Irish Data Protection Commission due to its regional base, noyb believes the specifically “locally relevant” nature of the complaints allows the Austrian DPA jurisdiction. This case’s focus on Austrian schools and students could lead to faster resolution and enforcement against Microsoft.
Historically, GDPR violations concerning children’s data have attracted substantial fines, exemplified by the large penalties imposed on Meta and TikTok for failing to safeguard minors’ data.
The legal landscape for Microsoft’s cloud services remains challenging in the EU, with recent investigations by the European Data Protection Supervisor and German authorities revealing potential GDPR compliance issues.
Microsoft has provided a comment following the updates on the complaints.
Compiled by Techarena.au.
Fanpage: TechArena.au
Watch more about AI – Artificial Intelligence
