Privacy advocacy group noyb has secured another significant win against Microsoft, after Austria’s data protection authority ruled that Microsoft 365 Education unlawfully installed tracking cookies on a pupil’s device without valid consent. The decision not only orders Microsoft to halt such tracking practices but also exposes deeper structural problems around responsibility, transparency, and GDPR compliance in digital education across Europe.
In a ruling dated January 21, 2026, Austria’s Data Protection Authority (DSB) found that Microsoft violated the EU General Data Protection Regulation by placing technically non-essential cookies on the device of a minor using Microsoft 365 Education. The regulator ordered Microsoft to stop using these cookies within four weeks.
Tracking and advertising cookies used without consent
According to the DSB, Microsoft installed cookies that analyse user behaviour, collect browser-related data, and are used for advertising and analytics purposes. These included cookies such as MC1, FPC, MSFPC, MicrosoftApplicationsTelemetryDeviceId, and ai-session.
The authority concluded that these cookies were not technically required to deliver the education service and were set without any valid legal basis under Article 6 of the GDPR. Because the data concerned a pupil, the DSB emphasised the heightened sensitivity of the violation, noting that EU law requires explicit consent for non-essential cookies, especially where minors are involved.
Second regulatory defeat following earlier GDPR breach
This decision marks the second successful complaint brought by noyb against Microsoft 365 Education in Austria. In October 2025, the DSB ruled on a separate complaint filed in June 2024, finding that Microsoft had violated the right of access under Article 15 of the GDPR.
In both cases, the authority rejected Microsoft’s explanations and found systemic non-compliance. The latest ruling again ordered Microsoft to cease the unlawful processing within four weeks, noyb said in a blog post.
Notably, both the school involved and the Austrian Ministry of Education told the authority they were unaware that Microsoft 365 Education installed tracking cookies at all, raising serious questions about transparency and oversight.
Microsoft US found responsible, not Irish subsidiary
Microsoft attempted to argue that its Irish subsidiary should be considered the responsible entity for Microsoft 365 products in Europe, which would have shifted the case to Irish jurisdiction. The DSB dismissed this claim, ruling that Microsoft Corporation in the United States makes the key decisions about product design and data processing, including the use of cookies.
Privacy advocates have long criticised large US technology companies for attempting to route GDPR enforcement through Ireland, where investigations are often slower and more complex.
Schools left holding responsibility without real control
Beyond the cookie issue, the case highlights a broader structural problem in digital education. According to noyb, large software vendors such as Microsoft wield enormous market power, allowing them to impose standard contracts on schools with little or no room for negotiation.
While Microsoft retains control over how user data is processed, schools are contractually designated as controllers under the GDPR and expected to ensure compliance. In practice, they lack both the technical insight and the bargaining power to influence Microsoft’s data practices.
Maartje de Graaf, data protection lawyer at noyb, said this “take-it-or-leave-it” model effectively shifts GDPR responsibilities onto schools. She noted that Microsoft holds all key information about its data processing, yet points schools to handle transparency obligations and data subject rights.
In Austria, school principals are formally tasked with determining the “purposes and means” of processing under Article 4(7) of the GDPR. According to noyb, this creates a compliance framework that is completely detached from reality, as local schools cannot realistically audit or instruct a global software provider.
GDPR rights ignored and access requests unanswered
The complaints also revealed persistent failures to respect core GDPR rights. Microsoft has been accused of contractually shifting its legal obligations onto schools, resulting in access requests going unanswered. Schools themselves cannot comply with such requests because they do not possess the underlying data or insight into Microsoft’s internal systems.
According to noyb, this arrangement undermines the GDPR’s transparency and accountability principles, leaving pupils and parents without meaningful control over their personal data.
Opaque and fragmented privacy documentation
Another central criticism concerns Microsoft’s privacy documentation for Microsoft 365 Education. According to noyb, determining which policies apply requires navigating a maze of documents, terms, and contracts that often provide overlapping but inconsistent information.
The documentation remains vague about what data is collected, how it is processed, and for what purposes, particularly in relation to children’s data.
De Graaf said that even qualified lawyers struggle to fully understand Microsoft’s data practices based on the available documentation, making it nearly impossible for children or parents to assess the extent of data collection.
Allegations of widespread tracking of minors
The cookie ruling reinforces noyb’s broader concern that Microsoft 365 Education tracks users regardless of age. According to the organisation’s analysis, tracking cookies were installed despite the lack of consent, potentially affecting hundreds of thousands of pupils and students across the EU and EEA.
Felix Mikolasch, data protection lawyer at noyb, described the findings as deeply worrying and called on authorities to more effectively enforce the rights of minors.
Because Microsoft 365 Education uses uniform terms and privacy documentation across Europe, noyb argues that children in all EU and EEA countries are exposed to the same violations.
Broader implications for schools and public authorities
Microsoft 365 Education is used by millions of students and teachers across Europe, while the standard Microsoft 365 suite is also widely deployed by companies, public institutions, and government bodies.
The DSB decision reinforces that tracking users without consent is incompatible with EU law and may prompt renewed scrutiny of Microsoft software deployments across the region. German data protection authorities have previously warned that Microsoft 365 does not fully meet GDPR requirements.
Max Schrems, founder of noyb, said the ruling should serve as a warning to organisations relying on non-compliant software, arguing that EU authorities and institutions should prioritise GDPR-compliant alternatives.
What happens next
Microsoft has four weeks to comply with the Austrian authority’s order and stop using non-essential tracking cookies in Microsoft 365 Education without consent. The company can appeal the decision to Austria’s Federal Administrative Court.
Unless overturned, the ruling is likely to increase regulatory pressure on Microsoft and could accelerate broader enforcement actions related to digital education, children’s data protection, and the role of Big Tech in European schools.
BABURAJAN KIZHAKEDATH