Noyb complaint about tracking: Microsoft violates students' privacy

Contents

Microsoft is violating the rights of students with Microsoft 365 Education, complains an Austrian student. With the support of the data protection organization Noyb, she has submitted a corresponding complaint to the Austrian Data Protection Authority (DPA). In a second complaint against Microsoft, Noyb (none of your business) is representing a former pupil. The allegation: Microsoft is secretly tracking children with the free office package for schools and the associated cloud services. The software installs several cookies on users' end devices without being asked. According to the software documentation, these cookies analyze usage behavior, collect browser data and are used for advertising.

The pupil's school, which Noyb represents, was apparently unaware of this intrusive practice, the data protection organizations explain in the complaint. Microsoft had not obtained consent for this data processing, which was questionable in any case, and was therefore in breach of the General Data Protection Regulation (GDPR). Contrary to the idea of "privacy by default" standardized therein, the impression of "tracking by default" is conveyed here. Various options are to be deactivated to create a data protection-friendly state. Considering the widespread use of MS 365 Education, the company is most likely tracking all underage users of its software products without a valid legal basis and processing the data collected in this way illegally.

Legal construction is unrealistic

In the second complaint, Noyb accuses Microsoft of shifting responsibility for the operation of the Office package onto schools. The US company insists that it is only a "processor". This means that the entire responsibility lies with the local school supervisory authorities.

In reality, however, neither the EU states, the competent authorities nor the schools could assume the legally envisaged role of an accountable controller that instructs the processor to carry out the processing in a certain way. The market realities lead to a 'freeze or die' approach, where all decisions and profits lie with the supposed processor and the formal controller is liable for most risks. In Austria, even local school principals should ensure GDPR compliance.

Labyrinth of data protection documents

According to Noyb, this also means that requests for information to Microsoft remain unanswered. Schools, in turn, are unable to comply with such transparency requests because they do not have the necessary data. Under the current system, the educational institutions would also have to audit the Microsoft products. Everyone knows that such contractual agreements do not correspond to reality.

It is not even clear which data protection guidelines apply to the use of MS 365 Education: The company's documentation "is so opaque and complicated" that users and schools have to find their way through a maze of different documents and contracts. The information provided is always slightly different, but "consistently vaguely formulated".

Noyb therefore calls on the DPA to investigate the data processing by MS 365 Education and to publicize its extent. Even knowledgeable observers were unable to do this straight away. The company is therefore in breach of the transparency provisions of the GDPR.

Proposed fine

The company had also ignored the right to information. Due to the potentially hundreds of thousands of pupils and students affected, Noyb also suggests that the DPA impose a fine on Microsoft.

In Germany, the data protection conference of the federal and state governments has repeatedly stated that institutions such as public authorities, schools and companies "cannot use MS Office 365 in a legally compliant manner" without further ado and must take additional protective measures, particularly in relation to order processing.

(ds)