Microsoft is facing another complaint in the EU, this time a claim the company “violates children’s privacy – but blames your local school.”
The complaint was filed by noyb (none of your business), a privacy-focused EU non-profit. While praising the EU’s efforts to implement digital learning post-pandemic, nyob says that a small number of companies are abusing the situation “with the intention of getting children used to their systems and creating a new generation of future ‘loyal’ customers.”
The non-profit specifically calls out Microsoft, saying the company is trying to skirt the GDPR—the EU’s privacy regulation—by saying that schools control student data.
Software vendors like Microsoft have an enormous market power, allowing them to dictate the terms and conditions of contracts with anyone who wants to use their products. At the same time, these software providers try to dodge responsibility by insisting that almost all of it lies with local authorities or schools. In reality, neither has the power to influence how Microsoft actually processes user data. Instead, they are faced with a take-it-or-leave-it situation where all the decision-making power and profits lie with Microsoft, while schools are expected to bear most of the risks. Schools have no realistic way of negotiating or changing the terms.
According to the complaint, Microsoft and other companies are putting schools in a no-win scenario by trying to shift the responsibility to them, while maintaining control of the relevant data.
In practice, this leads to a situation where Microsoft is trying to contractually dump most of its legal responsibilities under the GDPR on schools that provide Microsoft 365 Education services to their pupils or students. This means, for example, that access requests to Microsoft go unanswered – while schools have no realistic way of complying with such requests because they don’t hold the necessary data.
Maartje de Graaf, data protection lawyer at noyb: “This take-it-or-leave-it approach by software vendors such as Microsoft is shifting all GDPR responsibilities to schools. Microsoft holds all the key information about data processing in its software, but is pointing the finger at schools when it comes to exercising rights. Schools have no way of complying with the transparency and information obligations.”
To make matters worse, nyob says that Microsoft is tracking minors’ activity.
But this is not the only issue at hand. Although the complainant did not consent to tracking, Microsoft 365 Education still installed cookies that, according to Microsoft’s own documentation, analyse user behaviour, collect browser data and are used for advertising. Such tracking, which is commonly used for highly-invasive profiling, is apparently carried out without the complainant’s school even knowing. As Microsoft 365 Education is widely used, the company is likely to track all minors using their educational products. The company has no valid legal basis for this processing.
Felix Mikolasch, data protection lawyer at noyb: “Our analysis of the data flows is very worrying. Microsoft 365 Education appears to track users regardless of their age. This practice is likely to affect hundreds of thousands of pupils and students in the EU and EEA. Authorities should finally step up and effectively enforce the rights of minors.”
Microsoft has already faced multiple complaints within the EU that have led to the company making significant changes to its business. If this latest complaint gains traction, Microsoft may be forced to make yet more changes to its operations.