Austrian privacy organization files complaints against Microsoft
TapTechNews June 5th news, the Austrian privacy organization None of Your Business (NOYB) has submitted two complaints against Microsoft to the Austrian data protection regulatory agency. One issue is that Microsoft evades the data controller responsibility stipulated by EU law, and the other is that the cookies in Microsoft 365 Education track all users regardless of age.
TapTechNews noticed that when NOYB lawyer Maartje de Graaf talked about the first issue, he said, According to the current system implemented by Microsoft for schools, schools must review Microsoft or provide them with instructions on how to handle student data. As we all know, such a contractual arrangement is divorced from reality and is just a means for Microsoft to try to minimize its responsibility for children's data.
Another NOYB lawyer, Felix Mikolasch, questioned the built-in tracking cookies of Microsoft 365 Education: We analyzed the data flow and the results are worrying. Microsoft 365 Education seems to track all users regardless of their age. This practice may affect hundreds of thousands of students in the EU and the European Economic Area (EEA).
According to NOYB, one of the main problems of Microsoft's alleged data tracking is that it tracks users without their consent. They said that the schools using Microsoft 365 Education do not know that Microsoft will track the students using the software, which is also a problem.
NOYB pointed out that Microsoft's documentation mentions that cookies are used for analyzing behavior, collecting browser data, and for advertising. NOYB believes that without clear permission, Microsoft may be tracking all minors using its educational products without a legal basis.
NOYB requests the Austrian data protection regulatory agency to conduct an investigation and fact analysis of the data collected by Microsoft 365 Education. They said they have conducted an investigation, reviewed Microsoft's privacy policy documents, and made data access requests, but cannot figure out exactly what data is collected, which violates the transparency regulation of GDPR.
NOYB proposed that the regulatory agency should fine Microsoft for violating EU regulations, but the final decision of the penalty lies with the regulatory agency itself.