The Austrian privacy group, NOYB (None of Your Business), has filed two complaints about Microsoft with the Austrian privacy watchdog. One of the issues raised is about Microsoft shirking its data controller responsibilities under EU law, and the other pertains to cookies in Microsoft 365 Education tracking children regardless of their age.
Discussing the first of those issues, NOYB lawyer Maartje de Graaf said:
Under the current system that Microsoft is imposing on schools, your school would have to audit Microsoft or give them instructions on how to process pupils" data. Everyone knows that such contractual arrangements are out of touch with reality. This is nothing more but an attempt to shift the responsibility for children"s data as far away from Microsoft as possible.
Another NOYB lawyer, Felix Mikolasch, said the following about the tracking cookies built into Microsoft 365 Education:
Our analysis of the data flows is very worrying. Microsoft 365 Education appears to track users regardless of their age. This practice is likely to affect hundreds of thousands of pupils and students in the EU and EEA (European Economic Area).
One of the main issues about the tracking Microsoft is allegedly doing is that the user has not consented to being tracked with cookies, according to NOYB. It said that schools using Microsoft 365 Education don’t realise Microsoft is tracking students who use the software, which is also an issue.
NOYB pointed out Microsoft’s documentation which states that cookies are used to analyse behaviour, collect browser data, and use the data for advertising.
Without express permission being given, NOYB believes that Microsoft is probably tracking all minors using its educational products without a valid legal basis.
NOYB said that it wants the Austrian data protection watchdog to investigate and factually analyse what data is being sucked up by Microsoft 365 Education. It said that it has conducted its research, checked Microsoft’s privacy documentation, and made access requests, but it can’t clarify what data is collected, which goes against the GDPR’s transparency provisions.
The NOYB suggested that the authority should impose some sort of fine on Microsoft for flouting EU rules, but the watchdog will have to decide that itself.
Source: Reuters