The European Center for Digital Rights, also known as noyb (None of Your Business), has taken a stand against tech giant Microsoft by filing two complaints under Article 77 of the GDPR. The complaints allege that Microsoft has violated the privacy rights of school children through its Microsoft 365 Education offering to educational institutions.
According to noyb, Microsoft has been trying to shift the responsibility and privacy expectations of the GDPR onto the institutions through its contracts. The organization claims that educational organizations had no reasonable means of complying with such requests as they did not have control over the collected data.
As schools and educational institutions within the European Union increasingly relied on digital services during the pandemic, big tech companies like Microsoft seized the opportunity to create a new generation of loyal customers. While acknowledging the benefits of modernizing education, noyb believes that Microsoft has breached several data protection rights in providing educational institutions with access to Microsoft’s 365 Education services, leaving students, parents, and institutes with limited options.
noyb expresses concerns about the market power of software vendors such as Microsoft, enabling them to dictate terms and conditions in contracts with schools. This power allegedly allows tech providers to offload the majority of legal responsibilities under the GDPR onto local authorities and educational institutions.
The non-profit organization claims that in reality, schools and local authorities lack the ability to influence how Microsoft processes user data. They are often faced with a “take-it-or-leave-it” situation where Microsoft holds decision-making power and profits, while schools bear the risks.
Maartje de Graaf, a data protection lawyer at noyb, highlighted the issue, stating, “This take-it-or-leave-it approach by software vendors such as Microsoft is shifting all GDPR responsibilities to schools.” The lack of transparency in data processing and information obligations creates challenges for schools to comply with the GDPR.
noyb further asserts that students and educational institutions lack transparency in the privacy documentation surrounding the use of Microsoft’s 365 Education services. Vague information provided by Microsoft complicates understanding of data processing procedures for personal data collected through the service.
The organization filed two complaints against Microsoft based on alleged violations of information privacy laws. The complaints highlight cases where individuals faced challenges in accessing personal data collected by Microsoft’s 365 Education service, as well as unauthorized tracking and data collection for advertising purposes.
Felix Mikolasch, a data protection lawyer at noyb, expressed concerns about Microsoft’s tracking practices, stating, “Microsoft 365 Education appears to track users regardless of their age, affecting a significant number of pupils and students in the EU and EEA.” noyb has urged the Austrian data protection authority to investigate the data flows and impose fines on Microsoft for non-compliance.
In conclusion, noyb is taking a proactive stance against tech companies like Microsoft to protect the privacy rights of school children and ensure compliance with the GDPR. The organization calls for greater transparency and accountability in data processing practices to safeguard the rights of minors in the EU and EEA.