Austrian watchdog rules against Microsoft education tracking

The decision adds to a growing list of GDPR issues involving Microsoft’s public sector and education services.
An Austrian ruling found Microsoft unlawfully placed tracking cookies on a child’s device through its education platform, triggering wider GDPR concerns for European schools.

Microsoft has been found to have unlawfully placed tracking cookies on a child’s device without valid consent, following a ruling by Austria’s data protection authority.

The case stems from a complaint filed by a privacy group, noyb, concerning Microsoft 365 Education, a platform used by millions of pupils and teachers across Europe.

According to the decision, Microsoft deployed cookies that analysed user behaviour, collected browser data and served advertising purposes, despite being used in an educational context involving minors. The Austrian authority ordered the company to cease the unlawful tracking within four weeks.

Noyb warned the ruling could have broader implications for organisations relying on Microsoft software, particularly schools and public bodies. A data protection lawyer at the group criticised Microsoft’s approach to privacy, arguing that protections appear secondary to marketing considerations.

The ruling follows earlier GDPR findings against Microsoft, including violations of access rights and concerns raised over the European Commission’s own use of Microsoft 365.

Although previous enforcement actions were closed after contractual changes, regulatory scrutiny of Microsoft’s education and public sector products continues.

Would you like to learn more about AI, tech and digital diplomacyIf so, ask our Diplo chatbot!