Noyb win: Microsoft 365 Education may not track school children (noyb.eu)

Austria’s Data Protection Authority (DSB) found that Microsoft 365 Education illegally tracked students and used their data for Microsoft’s own business purposes, ordered deletion of the relevant personal data, and ruled Microsoft violated the GDPR by failing to respond fully to an access request. The DSB rejected Microsoft’s bid to push responsibility onto local schools or its Irish subsidiary, concluding Microsoft US makes the key processing decisions. Microsoft must now provide the complainant full access under Article 15 GDPR and clearly explain vague “business purposes” (e.g., “business modeling,” “energy efficiency”) and whether student data were shared with LinkedIn, OpenAI or ad/measurement vendor Xandr. The decision is significant because it exposes a systemic accountability gap: schools and education ministries often lack visibility into cloud vendors’ telemetry, leaving them unable to meet Articles 13–14 transparency duties. Technically, the case highlights unlawful use of tracking cookies without consent and opaque cross-service data flows. With Microsoft 365 Education used by millions across Europe—and Microsoft 365 similarly widespread in enterprises—this ruling could force Microsoft to change product architecture, consent/controls, and documentation so commercial customers can comply with GDPR, and it may encourage other EU regulators to challenge responsibility-shifting by major US cloud providers.