noyb win: Microsoft ordered to stop tracking school children
noyb.eu
The DSB decided that Microsoft unlawfully placed tracking cookies on the devices of a pupil

In June 2024, the rights group noyb had filed two complaints concerning Microsoft 365 Education in schools with the Austrian DSB [“Datenschutzbehörde”]. The first complaint was decided in October 2025. Back then, the DSB held that Microsoft violated the right of access under Article 15 GDPR. The second complaint, which has now been decided, concerned the use of unlawful tracking cookies in Microsoft 365 Education.

[…]

During the proceedings, Microsoft also tried to argue that their EU subsidiary in Ireland is in charge of Microsoft 365 products in Europe. The DSB rejected that argument and held that, in fact, Microsoft US is making the relevant decisions. US big tech companies regularly argue that they fall under Irish jurisdiction, because the Irish Data Protection Commission is known to hardly enforce EU law.

Likely far-reaching consequences for Microsoft 365. Microsoft 365 Education is used by millions of students and teachers across Europe. Millions of other people use the standard “Microsoft 365” at companies and authorities in Europe. Tracking users without consent is not compliant with EU law, which is an issue for all organisations using Microsoft 365. The German data protection authorities have already considered Microsoft 365 to fall short of the requirements of the GDPR.

[…]