Skip to content

NOYB sues Microsoft over unlawful tracking of children

  • by
  • 4 min read

Privacy advocacy group, European Center for Digital Rights (NOYB), has filed two complaints against Microsoft, alleging that its 365 Education services violate children’s data protection rights and unlawfully track student behaviour without consent. These complaints further highlight serious concerns about the shifting GDPR responsibilities onto schools and the opaque nature of Microsoft’s data processing practices.

The first complaint focuses on Microsoft’s 365 Education services, alleging that they violate children’s data protection rights under GDPR. The European Centre for Digital Rights represents an Austrian school pupil against Microsoft Corporation, the Vienna Directorate of Education, and the Federal Ministry of Education, Science, and Research.

The complaint asserts that Microsoft and the associated education authorities have not clearly defined who is responsible for data protection. This leads to a situation where neither Microsoft (as a processor) nor the schools (as supposed controllers) adequately respond to GDPR rights requests. This ambiguity leaves data subjects, in this case, the student and her father, unable to obtain information about the processing of personal data.

Specifically, the complaint highlights the following issues:

  • Microsoft and schools refer to the responsibility back and forth, failing to clarify who the data controller is.
  • The lack of proper responses to data access requests violates Article 15 of GDPR.
  • The schools and local authorities cannot enforce GDPR provisions against powerful service providers like Microsoft.
  • The systemic problem is that schools are pressured into using Microsoft’s services under terms dictated by Microsoft without the real capacity to control or ensure GDPR compliance.

The complaint seeks to address these GDPR violations and demands that the responsible parties be identified and held accountable for data protection compliance.

“This take-it-or-leave-it approach by software vendors like Microsoft is shifting all GDPR responsibilities to schools. Microsoft holds all the key information about data processing in its software but points the finger at schools when it comes to exercising rights. Schools have no way of complying with the transparency and information obligations,” said Maartje de Graaf, data protection lawyer at NOYB.

The second complaint against Microsoft Corporation concerns installing tracking cookies and subsequent data processing without a legal basis under Article 6 of the General Data Protection Regulation (GDPR).

The complaint highlights that a student at an Austrian school used Microsoft 365 Education without consent. These cookies collected personal data for advertising, site analytics, and operational purposes. The school, acting as a data controller, was unaware of and unable to manage these tracking activities, contradicting GDPR requirements.

The complaint alleges that Microsoft’s documentation and practices did not provide transparent information or obtain valid consent for tracking cookies. It argues that the responsibility for data protection cannot be realistically placed in local schools, which lack the resources and authority to control Microsoft’s data processing activities.

“Microsoft provides such vague information that even a qualified lawyer can’t fully understand how the company processes personal data in Microsoft 365 Education. It is impossible for children or their parents to uncover the extent of Microsoft’s data collection,” explained de Graaf.

Consequently, the complaint claims that Microsoft’s actions violate GDPR provisions related to the legal basis for processing and the principle of ‘privacy by default.’ The complaint calls for the DPA to address these violations and ensure compliance with data protection laws.

“Our analysis of the data flows is very worrying. Microsoft 365 Education appears to track users regardless of their age. This practice is likely to affect hundreds of thousands of pupils and students in the EU and EEA. Authorities should finally step up and effectively enforce the rights of minors,” said Felix Mikolasch, another lawyer at NOYB.

NOYB also sued OpenAI over the inaccurate date generation of one of its clients.

In the News: React-zutils package malware targets Crypto wallet data

Kumar Hemant

Kumar Hemant

Deputy Editor at Candid.Technology. Hemant writes at the intersection of tech and culture and has a keen interest in science, social issues and international relations. You can contact him here: