Austrian Regulator Rules Microsoft Illegally Tracked Students with Education Software

Austrian DSB Finds GDPR Violations

Austria's data protection authority, the Datenschutzbehörde (DSB), issued a ruling on Wednesday, October 8, 2025, determining that Microsoft illegally tracked students using its Microsoft 365 Education software. The decision found that the tech giant violated the European Union's General Data Protection Regulation (GDPR) by failing to provide students with access to their personal data and by utilizing cookies for tracking without proper consent.

The ruling follows a 2024 complaint filed by the Austrian privacy advocacy group NOYB (None of Your Business). The complaint was lodged on behalf of a minor student's father, who stated he did not consent to the cookies and could not obtain information regarding his child's data usage.

Details of the Infringements

The DSB's investigation revealed several key violations related to Microsoft 365 Education, a suite of productivity tools including Word, Excel, Outlook, PowerPoint, Teams, and OneDrive, widely used in educational institutions. The authority specifically cited:

• Illegal tracking via cookies: The software installed tracking cookies that collected browser data, reportedly for advertising purposes, without obtaining the necessary consent.
• Failure to grant data access: Microsoft failed to provide full access to personal data upon request, a direct violation of Article 15 of the GDPR.
• Use of student data for 'own purposes': The DSB determined that Microsoft used student data for its own business purposes, extending beyond the educational needs for which the software was provided.
• Lack of transparency: The authority highlighted a significant lack of transparency in how Microsoft 365 Education processes data, making it challenging for schools to meet their own GDPR obligations.

NOYB lawyer Felix Mikolasch commented that the decision 'highlights the lack of transparency in Microsoft 365 Education,' making it 'nearly impossible for schools to inform students, parents and teachers about what is happening with their data.'

Orders and Microsoft's Response

The Austrian DSB has ordered Microsoft to take several corrective actions. These include providing the complainant with access to their data and clarifying how it uses collected data, particularly for its 'own business purposes.' The authority also mandated the deletion of all personal data collected through the illegally used tracking cookies. Furthermore, the DSB found that Microsoft had attempted to shift responsibility for GDPR compliance onto schools and national authorities, entities that often lack the control or understanding to manage the extensive data processing involved.

In response to the ruling, a spokesperson for Microsoft stated that the company would review the decision. Microsoft maintained that 'Microsoft 365 for Education meets all required data protection standards and institutions in the education sector can continue to use it in compliance with GDPR.'