Data & Analytics

Microsoft faces two complaints of violating children’s privacy rights in the EU

A European digital rights organization filed two complaints against the tech giant earlier this month.
article cover

Francis Scialabba

3 min read

Top insights for IT pros

From cybersecurity and big data to cloud computing, IT Brew covers the latest trends shaping business tech in our 4x weekly newsletter, virtual events with industry experts, and digital guides.

The European Center for Digital Rights (NOYB) is calling for an investigation of Microsoft, which it accuses of violating children’s privacy rights in the EU. The organization filed two complaints against the tech giant earlier this month and said it’s unclear how the company handles data within Microsoft 365 Education.

Class in session. NOYB, based in Vienna, Austria, seeks to protect users’ rights and freedoms relating to personal data. The first complaint, filed June 4, claims a father in Vienna requested data from Microsoft last August, wanting to know more about how the company was processing his daughter’s personal info within Microsoft 365 Education products and services such as Word, Teams, and SharePoint.

At the time, according to the complaint, Microsoft replied that he should direct his request to his child’s school, which it said was responsible for the data. But the school told him that “the only personal data of the complainant processed by the school is the email address in Microsoft 365 Education.”

“Microsoft holds all the key information about data processing in its software, but is pointing the finger at schools when it comes to exercising rights,” Maartje de Graaf, a data protection lawyer at NOYB, said in the news release.

The second complaint centered on tracking cookies. Microsoft installed cookies on a student’s device when she created a Word document in the online version of Microsoft 365 Education, though she hadn’t “given her consent to the use of cookies or similar trackers and technologies.” In its news release, NOYB said “the company is likely to track all minors using their educational products,” but it “has no valid legal basis for this processing.”

NOYB PR manager Mickey Manakas told IT Brew in an email that it’s difficult to predict what will happen next, but the group hopes “that the Austrian authority will order Microsoft to make its data processing compliant, to make its privacy documentation more transparent, and to ensure that the company complies with people’s right of access.”

Law and order? When it comes to data compliance standards, the EU’s “General Data Protection Regulation (GDPR) is one of the strongest and most comprehensive attempts globally to regulate the collection and use of personal data by both governments and the private sector,” according to Human Rights Watch. NOYB says Microsoft could be breaching one of the articles “by failing to determine in advance who will serve as the contact point for the exercise of data subjects’ rights.”

A Microsoft spokesperson told Reuters that “M365 for Education complies with GDPR and other applicable privacy laws and we thoroughly protect the privacy of our young users.”

Top insights for IT pros

From cybersecurity and big data to cloud computing, IT Brew covers the latest trends shaping business tech in our 4x weekly newsletter, virtual events with industry experts, and digital guides.