An Austrian digital privacy group has claimed victory over Microsoft after the country’s data protection regulator ruled the software giant “illegally” tracked students via its 365 Education platform and used their data.

noyb said the ruling [PDF] by the Austrian Data Protection Authority also confirmed that Microsoft had tried to shift responsibility for access requests to local schools, and the software and cloud giant would have to explain how it used user data.

The ruling could have far-reaching effects for Microsoft and its obligations to inform Microsoft 365 users across Europe about what it is doing with their data, noyb argues.

The complaint dates back to the COVID-19 pandemic, when schools rapidly shifted to online learning, using the likes of 365 Education.

The privacy group said: “Microsoft shifted all responsibility to comply with privacy laws onto schools and national authorities – that have little to no actual control over the use of student data.”

When the complainant filed an access request to see what information was being processed, “this led to massive finger pointing: Microsoft simply referred the complainant to its local school.”

But the school and education authorities could only provide minimal information. The school, for example, could not access information that rested with Microsoft. “No one felt able to comply with GDPR rights.”

This prompted a complaint against the school, national and local education authorities, and Microsoft.

The ruling, machine translated, said: “It is determined that Microsoft, as a controller, violated the complainant’s right of access (Art. 15 GDPR) by failing to provide complete information about the data processed when using Microsoft Education 365.”

Microsoft was ordered to provide complete information about the data transmitted, and to provide clear explanations of terms such as “internal reporting,” “business modelling” and “improvement of core functionality.” It must also disclose if information was transferred to third parties.

The data protection authority ruled the school in question and federal education authorities had also failed to provide information to the complainant and must provide information on data processing within ten weeks.

The complaint against the provincial education authority was dismissed.

Microsoft also argued that its Ireland subsidiary was in charge of 365, and therefore jurisdiction fell to Ireland. The authority rejected that argument, and decided it was Microsoft US that made the decisions, according to noyb.

A spokesman for Microsoft told us: “Microsoft 365 for Education meets all required data protection standards and institutions in the education sector can continue to use it in compliance with GDPR. We will review the Austrian data protection authority’s decision and decide on next steps in due course.”

Max Schrems, data protection lawyer at noyb, said in a statement: “We have ‘big tech’ providers trying to get all the power, but shifting all responsibilities to European commercial customers. If Microsoft does not fundamentally change the setup of their products, European commercial customers will not be able to comply with their obligations.” ®