noyb (None of Your Business), also known as the European Center for Digital Rights, has filed two complaints under Article 77 of the GDPR against Microsoft, claiming the tech giant violated the privacy rights of school children with its Microsoft 365 Education offering to educational institutions.
noyb believes that Microsoft attempted to shift the responsibility and privacy expectations of the GDPR’s principles onto the institutions through its contracts, but stated that these organizations had no reasonable means of complying with such requests as they did not maintain control over the collected data.
Shifting Privacy Expectations from Big Tech to Local Schools
The non-profit stated that as schools and educational institutions within the European Union increasingly relied on digital services during the pandemic, big tech companies capitalized on this trend to try to create a new generation of loyal customers.
While welcoming the modernization of education, noyb believes that Microsoft has violated several data protection rights while providing educational institutions with access to Microsoft’s 365 Education services, leaving students, parents and the institutes themselves with little choice.
noyb expressed concern over the market power of software vendors such as Microsoft, which enables them to dictate the terms and conditions of their contracts with schools. This power, the organization alleges, has allowed tech providers to shift the majority of legal responsibilities under the General Data Protection Regulation (GDPR) onto local authorities and educational institutions.
noyb states that in reality, neither schools nor local authorities have the ability to influence how Microsoft processes user data. Instead, they often faced a “take-it-or-leave-it” situation, where all decision-making power and profits lay with Microsoft, while the risks are expected to be borne by the schools.
“This take-it-or-leave-it approach by software vendors such as Microsoft is shifting all GDPR responsibilities to schools,” said Maartje de Graaf, a data protection lawyer at noyb. “Microsoft holds all the key information about data processing in its software, but is pointing the finger at schools when it comes to exercising rights. Schools have no way of complying with the transparency and information obligations.”
noyb Believes Countless Children Affected by ‘Secret Tracking’
noyb said that students and educational institutions faced a serious lack of transparency in the privacy documentation surrounding the usage of Microsoft’s 365 Education services. Instead, students and institutes interested in the usage of data were forced to navigate a maze of privacy policies, documents, terms, and contracts, all of which were found to provide slightly different but consistently vague information about what happens to children’s data.
“Microsoft provides such vague information that even a qualified lawyer can’t fully understand how the company processes personal data in Microsoft 365 Education,” said de Graaf. “It is almost impossible for children or their parents to uncover the extent of Microsoft’s data collection.”
European Center for Digital Rights Files Two Complaints
The alleged violations of information privacy laws led to noyb representing the cases of two complainants against Microsoft.
The first complaint cited the case of a father who made requests to obtain personal data collected by Microsoft’s 365 Education service on behalf of his daughter, under the articles of the GDPR. Yet Microsoft had redirected the concerned parent to the “data controller,” and after checking with Microsoft if the school was the data controller, the parent then reached out to the school who then replied that they only had access to the student’s email addresses used for sign-up.
In the second complaint, an individual reported that despite not granting consent to cookie or tracking technologies, Microsoft 365 Education had installed cookies analyzing user behavior and collecting browser data, both of which are used for advertising purposes, according to Microsoft’s own documentation. This type of invasive profiling was being carried out without the school’s knowledge or consent, the non-profit stated.
“Our analysis of the data flows is very worrying,” said Felix Mikolasch, a data protection lawyer at noyb. “Microsoft 365 Education appears to track users regardless of their age. This practice is likely to affect hundreds of thousands of pupils and students in the EU and EEA. Authorities should finally step up and effectively enforce the rights of minors.”
noyb has requested the Austrian data protection authority (DSB) to investigate and analyze the data being collected and processed by Microsoft 365 Education, as neither Microsoft’s own privacy documentation, the complainant’s requests for access, nor the non-profit’s own research could clarify this process, which it believes violates the transparency provisions mandated by the GDPR.
noyb also believes that the authority should impose an additional fine on Microsoft, as it believes the company failed to comply with the right of access, and that all children living in the EU/EEA countries were affected by the uniformity in Microsoft 365 Education’s terms & conditions and the privacy documentation of its services across the region.
Media Disclaimer: This report is based on internal and external research obtained through various means. The information provided is for reference purposes only, and users bear full responsibility for their reliance on it. The Cyber Express assumes no liability for the accuracy or consequences of using this information.
