Austria DSB Ruling Targets Microsoft 365 Education Tracking Minors under GDPR

The Austrian data protection authority has found that Microsoft’s widely used Microsoft 365 Education platform illegally tracked students, failed to provide full access to their personal data, and attempted to shift GDPR responsibilities onto schools and education authorities — a ruling that could ripple across European classrooms and force a major vendor to rethink how it documents and explains cloud processing for minors.

Background​

The dispute began with complaints lodged in 2024 during the pandemic-era expansion of cloud tools in schools. As millions of pupils and teachers moved lessons online, education customers adopted cloud suites at scale. Microsoft 365 Education — the education-tailored version of Microsoft’s productivity cloud — became one of the most common options for institutions seeking integrated email, collaboration, classroom management and content storage.
Privacy advocates argued that the speed of adoption left gaps in transparency and accountability. A privacy complaint filed on behalf of affected students alleged that Microsoft 365 Education included tracking technologies that collected behavioural and telemetry data without lawful consent and that Microsoft avoided direct accountability by telling parents and pupils to take access requests to their local school administrators — even though the school often lacked technical access to the full data flows.
Those complaints culminated in a decision by Austria’s data protection authority (the DSB). The authority found multiple violations, ordered deletion of certain data, and required Microsoft to provide clearer, concrete explanations of what it meant by broad processing purposes. The regulator also determined that Microsoft’s US operations — rather than its European subsidiary — were the decisive actor for the processing at issue.

---

Overview of the DSB findings​

What the regulator said​

The DSB’s decision characterises the facts as a failure of transparency and a misallocation of responsibilities:

• Illegal tracking: The regulator concluded Microsoft 365 Education employed tracking cookies and similar technologies that were not justified as strictly necessary for the technical operation of the service and therefore required informed prior consent — which was not obtained for the students in question.
• Breach of the right of access (Article 15 GDPR): Microsoft failed to provide a full, intelligible copy of the personal data being processed for the student complainant. Directing the data subject to the local school without furnishing machine-readable exports or granular details about the categories and recipients of data was judged insufficient.
• Responsibility shifting: Microsoft’s position — that schools or national education authorities were the primary parties responsible for exercising data-subject rights — was rejected to the extent that the DSB found Microsoft had not provided authorities with enough information to enable them to fulfil statutory transparency duties.
• Controller identification: Microsoft argued its Irish subsidiary was responsible for Microsoft 365 operations in the EU. The DSB determined that key decision-making took place outside Ireland and that the US parent company had decisive influence over processing choices in the product as used in this instance.
• Rectifications and orders: The regulator ordered Microsoft to deliver complete answers to the access request, to explain vaguely worded internal-purpose labels such as “business modelling,” “internal reporting,” and “improvement of core functionality,” and to clarify whether student data had been shared with external entities. The school and central education authority were also required to provide specific transparency information they should have given, though one provincial authority’s complaint was dismissed.

What was not (yet) proven​

The DSB asked Microsoft to disclose whether specific transfers took place to third parties such as LinkedIn, OpenAI or ad‑tech firms flagged by telemetry. The ruling requires Microsoft to answer those questions; it does not, in itself, conclude that such transfers definitively occurred. Those transfer claims remain subject to Microsoft’s forthcoming explanations and any further investigation.

---

Why this matters: legal and operational implications​

For Microsoft​

This decision strikes at two of Microsoft’s longstanding defence patterns:

• The company frequently positions its products for organisation-managed accounts as tools provided “to institutions” and insists institutions (the contracting customer) are the primary interface for privacy messages and data‑subject requests. Here, regulators pushed back on that posture when an institution cannot practically provide the underlying technical transparency.
• Large cloud vendors often centralise key processing and decision-making functions in parent entities or US‑based operations while using European subsidiaries for contractual interfaces. Regulators will scrutinise those governance arrangements if they result in an EU authority being unable to exercise effective oversight.

A successful challenge that undermines a vendor’s ability to rely on a local contract or reseller model to manage transparency and access obligations could force product-level changes: clearer in-product mechanisms for exports, tailored education‑tenant privacy settings, and more granular documentation for schools.

For schools and education authorities​

Many schools lack the legal, technical and procurement muscle to audit cloud vendors. The DSB’s finding that institutions were left unable to meet Articles 13 and 14 transparency requirements because Microsoft withheld technical detail underscores a structural problem:

• Schools are not typically in a position to perform forensic audits of telemetry and cookie behaviour across a cloud platform.
• The ruling makes clear that contractual assignments of responsibilities are insufficient where they do not correspond to the factual control of data processing.
• Education ministries and school boards will now face a practical choice: demand more transparency and contractual guarantees from vendors, deploy alternate vendors with stronger on‑premises or privacy‑first offerings, or invest in local capacity to manage and audit cloud providers.

For GDPR enforcement and other vendors​

The DSB decision is likely to be read as a precedent: if a major cloud provider is deemed to have used non-essential tracking in education products, national regulators may feel emboldened to scrutinise other mainstream education platforms. The ruling also highlights that supervisory authorities will probe the mechanics of how access requests are handled between data controllers and organisation-managed tenants.

---

The technical and privacy details — what “tracking” entails​

The crux of the privacy concern is that Microsoft 365 Education, as deployed, included code and cookies that went beyond core functional requirements and produced behavioural and telemetry streams used for internal analytics and, potentially, business purposes.
Key technical categories implicated:

• Cookies and client-side identifiers: Cookies like MUID/ANID and other Microsoft identifiers are known in the broader Microsoft ecosystem. While some cookies are clearly functional (session management, authentication), others are used for personalization, telemetry or advertising unless explicitly restricted. Regulators distinguish strictly necessary cookies from those requiring prior consent.
• Telemetry and diagnostic data: Modern cloud software collects diagnostic and usage telemetry to improve software stability, security and performance. The legal question is whether such telemetry can be considered necessary for service provision in an educational context and whether it is minimised and documented.
• Third-party calls and endpoints: Many complex cloud platforms route events, analytics and feature-usage logs to internal analytics clusters or third-party services. If those endpoints are outside the EU or go to parties with different legal regimes, additional transfer and transparency obligations apply.
• Automated profiling or “business modelling”: Labels like “business modelling” are vague; they can encompass anything from anonymised trend analytics to commercial profiling for product development. The DSB required plain-English definitions of these terms so data subjects can understand purpose and impact.

These technical practices are not unique to Microsoft — telemetry, analytics and cookies are common across the major cloud providers. The distinguishing factor in this ruling was the combination of undisclosed tracking behaviours, the involvement of minors, and a lack of accessible access-output from the controller.

---

Legal mechanics: rights the DSB relied on​

Two GDPR provisions were central to the decision:

• Article 15 — Right of access: Data subjects have the right to obtain confirmation whether their personal data is being processed and, if so, access to the data plus specific information (purposes, categories, recipients, storage periods, rights, sources, and automated-decision-making logic). The DSB found Microsoft’s response did not meet the standard of a complete, intelligible access disclosure.
• Consent and cookie rules: Under EU privacy law, cookies that are not strictly necessary require prior, informed consent from the data subject. If educational tenants set cookies that processed behavioural data for non-essential purposes without obtaining appropriate consent for minors, that violates the ePrivacy/cookie framework and Article 6/9 interplay where special protections for children apply.

In addition, the authority scrutinised controller attribution: who decides the “purposes and means” of processing? Where significant elements of that decision-taking reside with the US parent rather than the European contracting entity, EU supervisory authorities may treat the parent as the controller for enforcement purposes.

---

Practical steps Microsoft and schools will need to consider​

• Improve transparency outputs
• Provide data-subject-extracts in a machine-readable, comprehensive format for organization-managed accounts so pupils and parents can exercise Article 15 rights.
• Offer clear, user-friendly explanations of processing purposes (no opaque labels like “business modelling” without definition).
• Audit cookie and telemetry use in education tenants
• Differentiate functionality-critical cookies from optional telemetry; default to the strictest privacy posture for minors.
• Provide administrators with the controls to disable non-essential telemetry and to document that choice for compliance records.
• Revisit contractual and governance mappings
• If decision-making about processing is centralised, consider delegating or documenting clear responsibilities and technical pathways to enable schools to comply with transparency duties.
• Education-sector guidance and procurement changes
• Ministries and school authorities should require suppliers to demonstrate how classroom deployments enable students to exercise rights and how the vendor will support access and deletion requests.

---

Potential penalties and enforcement exposure​

Under the GDPR, administrative fines can be significant: the regulation allows fines up to €20 million or up to 4% of a company’s total worldwide annual turnover of the preceding financial year, whichever is higher. The DSB’s decision ordering deletion and access remediation is a preliminary enforcement step; monetary fines are typically the subject of follow-on procedures.
Beyond fines, consequences include:

• Corrective orders (deletion, suspension of processing).
• Obligations to notify customers and data subjects when transparency failures affect rights.
• Reputational damage, especially where minors are involved.
• Contract renegotiations or bans by public sector customers who conclude the product cannot be used safely within their jurisdiction.

---

What Microsoft has said — and what remains to be seen​

Microsoft has indicated it will review the DSB decision and decide next steps. In commercial and public statements, the company typically asserts that Microsoft 365 for Education meets applicable data-protection standards and that institutions can use it in compliance with GDPR when deployed according to guidance.
Critical follow-ups to expect:

• Microsoft’s detailed technical response: the company must explain, in regulatory‑acceptable detail, what each processing purpose label means and whether student data ever flowed to external vendors or non‑EU recipients.
• Remediation measures: technical fixes, updated privacy documentation, and enhanced admin tooling to enable schools to meet transparency obligations.
• Possible appeals: the decision may be challenged in administrative courts, which could prolong final outcomes and any monetary penalties.

---

Broader context: why education data attracts strict scrutiny​

Children’s data draws extra regulatory attention for several reasons:

• Minors are treated as a vulnerable class under data protection standards and, in some contexts, require parental consent for certain processing.
• Schools hold both educational records and behavioural traces; mixing operational educational needs (grades, attendance) with behavioural analytics or commercial profiling raises proportionality issues.
• The long-term nature of educational relationships means data collected early in life can shape profiles and experiences across years; regulators therefore emphasise minimisation and purpose limitation.

Given this context, a default commercial posture that treats education tenants the same as consumer or enterprise deployments can be legally risky.

---

Strengths and weaknesses of the DSB ruling​

Notable strengths​

• Concrete enforcement of transparency: The DSB did not accept abstract or high-level documentation as sufficient; it demanded practical, data‑subject‑facing outputs. That strengthens data subjects’ real-world ability to exercise rights.
• Focus on operational reality over contractual labels: By looking at where decisions were actually taken, the DSB prevented a technical evasion of responsibility via corporate structure.
• Protection for minors: The decision underscores that vendors must take extra care when their products are used by children.

Potential weaknesses or areas for caution​

• Scope and generalisability: While the ruling is powerful, it stems from a specific complaint and factual record. Different implementations of Microsoft 365 Education across countries or configurations may differ, so the ruling’s effect will depend on factual mapping in later cases.
• Technical nuance: The boundary between strictly necessary telemetry and helpful diagnostics can be complex. Overbroad findings could unintentionally hamper legitimate security and reliability telemetry that benefits pupils (e.g., security incident detection).
• Enforcement sequencing: The decision orders disclosure and deletion in stages; whether regulators will follow with monetary fines depends on future compliance and any appeal.

Where claims in the public debate remain unsettled, the DSB and Microsoft’s forthcoming operational disclosures should clarify open questions — notably, whether student data was ever exported to particular third parties and the exact nature of the tracking cookies.

---

What schools, parents and admins should do now​

• Request clarity from vendors: Schools should ask for explicit, written mappings of what telemetry and cookies are active in education tenant configurations and whether non-essential cookies are enabled by default.
• Enable the strictest privacy posture: Where possible, disable telemetry and external integrations that are unnecessary for learning workflows until a legal/compliance assessment is completed.
• Document data flows in procurement: When renewing or signing cloud service agreements, require contractual clauses that guarantee supporting access requests and provide export tools that work for data subjects.
• Implement clear parental notice procedures: Schools must be ready to explain to parents and pupils, in plain language, what data is processed and how to exercise rights.
• Monitor regulator guidance: National data-protection authorities often issue implementation guidance; follow those updates and update internal practices accordingly.

---

Conclusion​

The DSB decision is a sharp reminder that cloud-scale convenience cannot be a substitute for legal clarity when children’s data is at stake. It forces a re-examination of the assumption — common in many IT procurements — that “we bought the service; the vendor will handle compliance.” Where vendors retain decisive control over telemetry and processing, regulators expect them to be transparent, accessible, and subject to the same rights frameworks as any other controller.
For Microsoft, the ruling raises a practical question: can its existing contractual and technical architecture for education tenants be adapted quickly enough to satisfy European data-protection expectations — or will regulators and customers demand deeper structural changes? For schools, the ruling recalibrates the expectation that they can rely entirely on vendor statements; local administrators must now press for documentation, controls and export mechanisms that let pupils and parents exercise their rights.
If followed by concrete technical disclosures and product changes, the DSB’s decision could set a new standard for how education-tailored cloud services describe and constrain telemetry and behavioral tracking — a standard where transparency, minimisation and clear lines of responsibility are treated as features, not afterthoughts.

---

Source: theregister.com Microsoft 'illegally' tracked students via 365 Education