Microsoft is under renewed scrutiny in Europe after Austria’s data protection authority ruled that the company illegally tracked students using its 365 Education tools and failed to honor core transparency rights under the GDPR. The decision stems from a complaint by privacy group noyb, which argued that students could not meaningfully access their personal data and that Microsoft tried to shift legal responsibilities onto schools.
The dispute traces back to the pandemic, when many schools rapidly adopted cloud-based platforms for remote learning. According to the complaint, students who asked Microsoft for their data were redirected to their schools, which could provide only limited information. Regulators found this practice violated Article 15 of the GDPR, which guarantees individuals the right to know what data is collected, how it’s processed, and with whom it’s shared. The authority determined that Microsoft acts as the data controller for 365 Education and must provide clear, comprehensive answers directly to users.
In its ruling, the Austrian authority also instructed Microsoft to explain ambiguous processing purposes such as “internal reporting,” “business modelling,” and “improvement of core functionality.” National and federal education bodies were given ten weeks to provide comparable transparency about their roles and data practices.
Microsoft said it believes Microsoft 365 for Education meets required data protection standards and that it will review the decision. Privacy advocate Max Schrems argued the case illustrates a wider problem: large technology providers want control over data while outsourcing regulatory obligations to European customers.
Another key point in the decision concerns who is ultimately responsible. Microsoft maintained that its Irish subsidiary oversees 365 Education and that jurisdiction lies there. The Austrian regulator rejected that position, stating that Microsoft’s U.S. entity made the crucial decisions about data processing.
The outcome could ripple across Europe’s education sector. With millions of students relying on cloud-based learning platforms since COVID-19, the ruling reinforces that companies providing classroom technology must comply with strict GDPR transparency and access requirements—especially when processing data from minors. If upheld, the case may set a precedent that pushes technology vendors to take more direct responsibility for student data, clarifying controller roles and making privacy policies more understandable for schools, parents, and pupils alike.
What schools and families should watch for next:
– Potential changes to Microsoft 365 Education’s privacy documentation and user-access processes
– Clearer explanations of how student data is used for analytics, product improvement, and internal reporting
– More direct channels for students to exercise their GDPR rights with the platform provider
– Guidance from education authorities on best practices for handling student data in cloud services
This ruling signals a broader shift: in Europe, student privacy is not a negotiable add-on to digital learning—it’s a legal requirement that service providers must meet transparently and directly.
