The Microsoft tracks students case has placed one of the world’s largest tech companies under fire in Europe. Austria’s data protection authority ruled that Microsoft 365 Education violated GDPR by tracking schoolchildren and withholding access to collected data. The decision exposes serious privacy flaws in educational technology used across EU classrooms.
The Austrian Ruling
Austria’s Datenschutzbehörde (DPA) found that Microsoft used tracking cookies in its Microsoft 365 Education platform without proper consent. Investigators discovered that student activity data was transferred to the United States and analyzed for unknown purposes.
The DPA also determined that Microsoft failed to comply with a data access request from a student. The company refused to provide complete records of what information it collected and how it processed it. This refusal, according to regulators, breached transparency obligations under the GDPR.
Microsoft attempted to shift responsibility to local schools and its Irish subsidiary. However, the Austrian DPA ruled that Microsoft Corporation in the United States remains the primary controller of student data.
Broader Legal Implications
The Microsoft tracks students ruling orders Microsoft to delete unlawfully collected information and explain how it processes data from minors. Schools that use Microsoft 365 must also review their contracts to ensure compliance with EU privacy law.
Legal experts say the case could set a precedent across Europe. It establishes that education providers and software vendors share joint accountability for protecting student data. Regulators across the EU may now examine whether similar platforms meet GDPR standards.
Privacy and Ethical Concerns
Privacy advocates argue that the case reveals deeper issues within the edtech industry. Many digital learning tools collect far more information than necessary, often without clear consent.
Children represent one of the most vulnerable groups under data protection law. The Microsoft tracks students ruling reinforces that companies must design products with privacy by default, ensuring that minors’ personal data stays protected from unauthorized use or export.
Microsoft’s Response
Microsoft has stated it remains committed to complying with EU regulations and plans to work with authorities to resolve the issue. The company claims that schools, not Microsoft, oversee how data is handled under their educational agreements.
However, the DPA’s findings suggest Microsoft retains final control over how data is stored and transferred. This means the company cannot fully shift responsibility to third parties or partners.
Conclusion
The Microsoft tracks students case highlights how GDPR enforcement now extends to educational technology. Austria’s ruling against Microsoft sets a clear example for other EU regulators. As the investigation continues, the outcome could reshape how global tech companies manage children’s data in classrooms across Europe.
0 responses to “Microsoft Tracks Students: Austria Rules Microsoft 365 Violated GDPR”