Not allowed: Microsoft could track schoolchildren for advertising purposes
Austrian schools pay for student Microsoft software. Without the knowledge of the schools or children, Microsoft places cookies. A complaint is successful.
(Image: Datenschutz-Stockfoto/Shutterstock.com)
A minor student has achieved a legal victory against Microsoft Corporation: the Austrian Data Protection Authority has upheld a complaint filed by the child in 2024. The reason for this is that Microsoft places personal cookies in the software Microsoft 365 Education, which was rented by the school for the children. These cookies could be used to track the children's online behavior for advertising purposes. Storage occurs without consent, which, according to the Data Protection Authority, is unlawful. The Austrian Ministry of Education and the school claim to have been unaware of this data harvesting.
"According to Microsoft's own documentation, (the cookies) analyze usage behavior, collect browser data, and are used for advertising," explains the data protection organization Noyb, which represented the student in the proceedings. Microsoft, on the other hand, argued in the proceedings that the cookies were merely evaluated pseudonymously for statistical purposes and that the cookies were technically necessary for this.
In fact, pseudonymization only occurs after the personal data has reached Microsoft. And according to the decision, this data transfer falls under the General Data Protection Regulation (GDPR), regardless of any subsequent pseudonymization. Furthermore, the claim that the cookies are necessary for reachability measurements is irrelevant because reachability measurements themselves are not necessary.
Thus, the authority states that Microsoft Corporation "has violated the lawfulness of processing as well as the principle of lawfulness and good faith by processing personal data of the complainant in connection with the use of cookies for the product 'Microsoft 365 Education' without the required legal basis of Art. 6(1) GDPR." This means that Microsoft did not obtain consent and cannot rely on any other legal basis for processing the personal data.
Reprogramming or Legal Action
Therefore, the Data Protection Authority orders Microsoft to cease its unlawful behavior. Specifically, it is to "refrain from using technically non-essential cookies if there is no suitable legal basis (consent) for this and personal data of the complainant is processed thereby. In any case, the cookies MC1, FPC, MSFPC, MicrosoftApplicationsTelemetryDeviceId, and ai-session are considered technically non-essential."
Videos by heise
Microsoft does not accept this. It still maintains that it complies with all necessary data protection requirements. "Microsoft 365 for Education meets all prescribed data protection standards, and educational institutions can continue to use it in compliance with the GDPR," a spokesperson told heise online. Whether Microsoft will reprogram the cookies or take legal action has therefore not yet been decided. Microsoft has four weeks for both, calculated from the delivery of the decision issued on January 21st (GZ 2025-0.768.263, D135.026).
Excuse of "customer-oriented marketing" doesn't hold up
Microsoft tried in vain to evade the Austrian proceedings. On the one hand, the corporation argued that it was not responsible for data processing at all, claiming to be merely a (sub)contractor for Austrian educational institutions. However, Microsoft's self-marketing backfired: According to it, the data harvested with Microsoft 365 Education serves all sorts of purposes, from "internal reporting and business modeling" to "energy efficiency."
The Data Protection Authority states that Microsoft pursues these purposes not on behalf of the school but in its own interest, which is why it holds Microsoft responsible for this data processing. The excuse that the "customer-oriented marketing FAQ paper" is not suitable for findings is not accepted by the authority.
No escape to Ireland
On the other hand, the defendant Microsoft Corporation disputed the jurisdiction of the Austrian Data Protection Authority. The company has a subsidiary in Ireland, which is why the authority there is competent. This authority is rumored to be particularly friendly to data corporations.
However, the Austrian Data Protection Authority points out that the essential decisions are made not in Ireland but at the company's headquarters in America. According to the ECJ (Case CǦ604/22 para. 62 ff), it is sufficient for responsibility "that an entity sets guidelines, instructions, technical specifications, protocols, and contractual obligations regarding data processing," which undoubtedly happens in the USA. Because the resulting cookies are set in Austria, Austrian authorities can intervene.
At most, there could be joint responsibility between Microsoft Corporation and its Irish subsidiary. However, Noyb only complained about the parent company, not the Irish subsidiary, so the latter did not become a party to the proceedings. Therefore, the Austrian authority sees no reason to transfer the proceedings to Ireland.
Second defeat against Austrian students
For Microsoft, this is already the second defeat against a student represented by Noyb. In October, the Austrian Data Protection Authority found that Microsoft had violated applicable data protection law by not providing the student with sufficient data protection information upon request. (GZ 2025-0.477.534, D135.027). Additionally, the student's grammar school and the Ministry of Education were reprimanded for not informing the student in advance about the collection and disclosure of her personal data.
- First complaint against Microsoft
- Second complaint against Microsoft
- First decision against Microsoft (October 8, 2025)
- Second decision against Microsoft (January 21, 2026)
(ds)
