Microsoft hit with EU privacy complaints over schools' use of 365 Education suite

Microsoft's education-focused flavor of its cloud productivity suite, Microsoft 365 Education, is facing investigation in the European Union. Privacy rights nonprofit noyb has just lodged two complaints with Austria's data protection authority.

The complaints examine the use of Microsoft's cloud software by schools. The first one focuses on transparency and legal basis issues. noyb says it's concerned minors' data is being processed unlawfully -- and its press release hits out at what it dubs "consistently vague" information provided by the tech giant about how children's information is used.

The bloc's General Data Protection Regulation (GDPR) sets out a high expectation of protection for children's data. Transparency and accountability must be keystones whenever minors' information is processed. A lawful basis is also required. Confirmed breaches of the regime can attract fines of up to 4% of global annual turnover, which could scale to billions of dollars in Microsoft's case.

The privacy rights group's complaint accuses Microsoft of trying to evade its legal responsibilities as a data controller of children's information by using the contracts that schools have to sign to access its software to shift compliance onto them. noyb argues schools are not in a position to comply with the EU law's transparency requirements or data access rights, as they cannot know what Microsoft is doing with kids' data.

Microsoft 365 Education's price point varies but the software package can be offered for free for schools that meet certain eligibility criteria.

"Microsoft provides such vague information that even a qualified lawyer can’t fully understand how the company processes personal data in Microsoft 365 Education. It is almost impossible for children or their parents to uncover the extent of Microsoft’s data collection,” said Maartje de Graaf, data protection lawyer at noyb, in a statement.

“This take-it-or-leave-it approach by software vendors such as Microsoft is shifting all GDPR responsibilities to schools. Microsoft holds all the key information about data processing in its software, but is pointing the finger at schools when it comes to exercising rights. Schools have no way of complying with the transparency and information obligations," she added.

"Under the current system that Microsoft is imposing on schools, your school would have to audit Microsoft or give them instructions on how to process pupils’ data. Everyone knows that such contractual arrangements are out of touch with reality. This is nothing more but an attempt to shift the responsibility for children's’ data as far away from Microsoft as possible.”

A second complaint filed by noyb Tuesday also accuses Microsoft of secretly tracking children. noyb says it found tracking cookies that were installed by Microsoft 365 Education despite the complainant not consenting to tracking. Per Microsoft’s documentation, these cookies analyze user behavior, collect browser data and are used for advertising, it added.

"Such tracking, which is commonly used for highly invasive profiling, is apparently carried out without the complainant’s school even knowing," noyb wrote. "As Microsoft 365 Education is widely used, the company is likely to track all minors using their educational products. The company has no valid legal basis for this processing."

Again, the GDPR sets a high bar for lawful use of children's data for marketing purposes -- requiring data controllers take special care to protect minors' information and ensure any uses of minors' information are fair, lawful and clearly conveyed.

noyb contends that Microsoft's contracts, T&Cs and data flows do not live up to this bar.

“Our analysis of the data flows is very worrying," said Felix Mikolasch, another data protection lawyer at noyb, in a statement. "Microsoft 365 Education appears to track users regardless of their age. This practice is likely to affect hundreds of thousands of pupils and students in the EU and EEA [European Economic Area]. Authorities should finally step up and effectively enforce the rights of minors.”

noyb is asking the Austrian DPA to investigate the complaints and determine what data is being processed by Microsoft 365 Education. It also urges the authority to impose a fine if it confirms the GDPR has been breached.

Microsoft was contacted for comment on noyb's complaint. A company spokesperson emailed this statement: “M365 for Education complies with GDPR and other applicable privacy laws and we thoroughly protect the privacy of our young users. We are happy to answer any questions data protection agencies might have about today’s announcement.”

While the tech giant has a regional base in Ireland, which typically means cross-border GDPR complaints would end up being referred back to the Irish Data Protection Commission to look at, a spokesperson for noyb emphasized the "locally relevant" nature of the two Microsoft 365 Education complaints -- saying they believe the Austrian DPA is competent to investigate.

"The complaints could actually stay in Austria," the spokesperson told TechCrunch. "The case is very locally relevant because it concerns Austrian schools and Austrian pupils, so we hope the [Austrian DPA] will take matters into its own hands. Also, we have filed the complaints against Microsoft's US entity instead of the EU branch."

This is important as it could lead to swifter decision-making -- and potential enforcement -- on the complaints against Microsoft.

GDPR complaints focused on children's data have led to some of the largest penalties to date, such as the €405 million fine Ireland imposed on Meta, back in the summer of 2022, for Instagram-related minor protection failures. Last year the video-sharing social network TikTok was also found in breach of legal requirements to keep kids' data safe -- receiving a €345 million fine.

Meanwhile, Microsoft's cloud productivity suite remains under a broader legal cloud in the EU. Back in March the bloc's own use of 365 was found in breach of the GDPR by the European Data Protection Supervisor -- which imposed corrective measures, giving EU institutions until early December to fix the compliance issues identified.

A lengthy investigation of Microsoft 365 by German data protection authorities also identified a raft of problems back in the fall of 2022 -- with the working group concluding at the time there was no way to use the software suite in a way that was compliant with the GDPR.

This report was updated with a comment from Microsoft

https://techcrunch.com/2024/03/11/edps-microsoft-365