NOYB asked the Austrian privacy watchdog to investigate the use of Microsoft Education 365.
It is likely that hundreds of thousands of European schoolchildren are being tracked for him educational software of Microsoftwidely implemented in schools throughout the continent, according to an NGO that presented last Tuesday a formal complaint on this matter before an Austrian regulatory body.
The NOYB organization has asked the watchdog to investigate what data it processes Microsoft 365 Education (a product widely used in classrooms), since it states that not even the privacy documentation of the companyneither the access requests nor NOYB’s own investigation have been able to fully clarify it, which viola the provisions on transparency of the General Data Protection Regulation (GDPR).
NOYB claims that software providers such as US tech giant Microsoft ignore GDPR rights by “offloading” legal responsibilities under EU privacy rules onto schools that provide the software for educational purposes.
“Microsoft has all the key information about data processing in its software, but is pointing the finger at schools when it comes to exercising rights. Schools have no way to meet obligations of transparency and information,” said Maartje de Graaf, data protection lawyer at NOYB.
Felix Mikolasch, another data protection lawyer at NOYB, stated that the software also tracks users regardless of age. “Es probable that this practice affects hundreds of thousands of students of the EU and the European Economic Area. The authorities should finally step up and effectively enforce the rights of minors“, he claimed.
Microsoft ensures that it complies with the Regulation
A Microsoft spokesperson said the product “GDPR compliant and other applicable privacy laws” and that the company protege thoroughly Privacy of its young users. “We will be happy to answer any questions data protection agencies may have about today’s announcement,” the spokesperson added.
Appropriateness decisions
It is not the first time that Microsoft products have been in the crosshairs of privacy regulators. In March, the European Data Protection Supervisor (EDPS), who oversees data protection issues in the EU institutions, orderedto the European Comission to adjust your use of Microsoft 365 office programs to the Privacy rules.
The EDPS said that the Commission violated EU rulesincluding those relating to transfers of personal data outside the EU or the European Economic Area (EEA), because in its contract with Microsoft the Executive did not sufficiently specify what types of personal data were to be collected and for what purposes.
The GDPR imposes strict restrictions to personal data, prohibiting sharing it with countries that do not have an equivalent level of protection. The data transfer agreement between the EU and the US was invalidatedin 2015 by the Court of Justice of the European Union (CJEU) after Austrian lawyer Max Schrems (founder of NOYB) challenged it, and the same thing happened with the replacement data transfer framework.
The United States officially regained its “adequacy” status in July 2023, after the US government issued a executive order for limit the data collection from the EU to “necessary and proportionate” levels“.