The Austrian data privacy body, None Of Your Business (NOYB) filed two complaints against Microsoft. The complaints are concerning the operation of Microsoft 365 Education software package and child data privacy. The privacy group had earlier filed grievances against OpenAI, Meta✴, Spotify, and other tech firms.
According to NOYB, the Microsoft 365 Education allegedly installs cookies, which, as per Microsoft’s own documentation, are used for user behavior analysis, browser data collection, and advertising, unbeknownst to schools. NOYB claims that Microsoft articulates its school data usage with consistent vagueness and could secretly monitor children.
“Our data flow analysis raises significant concerns. Microsoft 365 Education seems to trail users regardless of their age. This activity likely affects hundreds of thousands of EU and EEA school children and students. Authorities must finally step up and effectively ensure children’s rights are adhered to”, noted NOYB data protection lawyer Felix Mikolasch.
The defenders assert that Microsoft offloads the responsibility of adhering to the General Data Protection Regulation (GDPR) to schools without providing them access to or explanations about their privacy or data collection policies. “Microsoft holds all the crucial information about data handling in its software, but points the finger at schools when it comes to rights implementation. Schools have been dispossessed of their ability to uphold transparency and data processing obligations”, added another NOYB lawyer, Maartje de Graaf.
The GDPR establishes strict standards for the protection of minor’s data, emphasizing additional identity protection, transparency, and accountability. Breach of the regulation could result in fines up to €20 million or 4% of the company’s global turnover of the previous year – whichever is higher.