The Austrian Data Protection Authority last month ruled that Microsoft Corporation illegally installed tracking cookies on devices used by school children and must cease this practice within four weeks.

According to the decision announced January 27, 2026, Microsoft placed cookies on a student's device while using Microsoft 365 Education that analyze user behavior, collect browser data and are used for advertising purposes. Neither the school nor the Austrian Ministry of Education claimed awareness of such tracking cookies before the complaints were filed.

The ruling represents the second enforcement action against Microsoft's educational software suite following an October 2025 decision where the authority determined Microsoft violated GDPR access rights.

Systematic tracking without knowledge

The complaint originated from noyb - European Center for Digital Rights, which filed two complaints in June 2024 concerning Microsoft 365 Education deployment in Austrian schools. When the student's father submitted access requests in August and September 2023, Microsoft directed him to the school as the purported data controller. The school claimed responsibility only for the student's email address.

Technical analysis revealed multiple cookies deploying automatically during Microsoft 365 Education use. According to Microsoft's own documentation, these cookies serve purposes including identifying unique web browsers visiting Microsoft websites, analyzing user behavior, collecting browser data and supporting advertising operations.

"Tracking minors clearly isn't privacy-friendly," Felix Mikolasch, data protection lawyer at noyb, stated in the announcement. "It seems like Microsoft doesn't care much about privacy, unless it is for their marketing and PR statements."

The data protection authority ordered Microsoft to cease tracking the complainant within four weeks, establishing a precedent that could affect millions of European students using the educational platform. Both the school and Ministry of Education claimed ignorance of the tracking mechanisms before noyb brought the violations to their attention.

Microsoft Ireland jurisdiction rejected

During proceedings, Microsoft attempted to shift regulatory responsibility to its Irish subsidiary, arguing Microsoft Ireland Operations Limited manages Microsoft 365 products across Europe. The Austrian authority decisively rejected this argument, determining Microsoft Corporation in the United States makes relevant decisions about the product.

The ruling aligns with growing scrutiny of corporate structures designed to route enforcement through the Irish Data Protection Commission, which has faced criticism for limited GDPR enforcement against US technology companies.

European privacy advocates have documented systematic attempts by American technology firms to claim Irish jurisdiction, where regulatory enforcement historically proves less aggressive than other member states. The Austrian authority's determination that Microsoft US controls product development and implementation undermines these jurisdictional strategies.

Far-reaching implications for enterprise software

Microsoft 365 Education reaches millions of students and teachers across European educational institutions. The standard Microsoft 365 product, deployed by companies and government authorities throughout the region, operates under similar data processing agreements.

German data protection authorities previously identified GDPR compliance shortfalls in Microsoft 365 deployments. The Hessian Data Protection Commissioner concluded in November 2025 that Microsoft could operate within GDPR requirements only after extensive negotiations addressing seven critical deficiencies in data protection documentation.

Max Schrems commented on the broader compliance landscape: "Companies and authorities in the EU should use compliant software. Microsoft has once again failed to comply with the law."

Organizations deploying Microsoft 365 face increasing scrutiny regarding whether they can demonstrate GDPR compliance when the software vendor tracks users without adequate consent mechanisms. The Austrian decision establishes that tracking without consent violates EU law regardless of contractual arrangements between Microsoft and institutional customers.

The decision emphasizes fundamental consent principles under GDPR and Austria's Telecommunications Act. Tracking cookies require active user consent before deployment. Pre-configured tracking that activates by default violates privacy-by-design requirements under GDPR Article 25.

For minors below age 14 in Austria, parental consent becomes mandatory for data processing requiring consent. Microsoft 365 Education specifically targets educational institutions serving minors, making these consent requirements particularly relevant.

The Austrian authority determined that cookies identified as MC1, FPC, MSFPC and MicrosoftApplicationsTelemetryDeviceId serve purposes beyond technical necessity. According to enforcement guidancefrom Austrian and other European regulators, only cookies strictly necessary for service delivery can deploy without consent.

Microsoft's documentation describes these cookies as analyzing user behavior and supporting advertising operations - purposes falling outside technical necessity exemptions. The authority ordered verification within ten weeks to confirm whether data from these cookies continues processing, with deletion required if ongoing processing is discovered.

Responsibility shifting challenged

The case exposed systematic responsibility shifting between Microsoft, educational institutions and government ministries. When access requests reached Microsoft, the company redirected users to schools claiming schools controlled data processing. Schools responded that they lacked access to data held by Microsoft.

This responsibility diffusion prevented effective exercise of GDPR rights. The Austrian decision allocated clear responsibilities: Microsoft bears accountability as controller for its own tracking purposes, while schools and the Education Ministry share responsibility for data processing under their control.

The authority found that Microsoft provided insufficient information to schools about tracking mechanisms embedded in Microsoft 365 Education. Schools cannot fulfill transparency obligations when software vendors withhold technical details about data processing operations.

Educational institutions deploying Microsoft 365 Education received orders to provide complete information about cookie deployments and data transmissions to Microsoft. The Ministry must supply this information within ten weeks, while Microsoft faces a four-week deadline for its portion of required disclosures.

Technical evidence demonstrates tracking

Technical analysis submitted by noyb documented extensive data flows during Microsoft 365 Education use. On July 31, 2023, network monitoring captured requests to domains containing "telemetry" in their names during simple document creation tasks.

Browser analysis revealed cookies setting automatically upon accessing Microsoft 365 Education, before any user interaction with consent interfaces. The cookies contained unique randomly generated identifiers enabling user individualization and tracking across web properties.

Protocol data showed connections to third-party services including LinkedIn and OpenAI-related domains during Microsoft 365 Education sessions. The authority ordered Microsoft to clarify whether student data reached these third parties and for what purposes.

Microsoft's responses during proceedings acknowledged processing personal data for what the company termed "legitimate business operations." These purposes included internal reporting, business modeling, fraud prevention and "improving core functionality regarding accessibility, data protection or energy efficiency."

The Austrian authority determined these descriptions lacked sufficient clarity and precision to satisfy GDPR transparency requirements, particularly given the student population affected. Microsoft received orders to provide comprehensible explanations of these processing purposes rather than abstract terminology.

Enforcement mechanisms established

The Austrian Data Protection Authority deployed GDPR's full enforcement toolkit. Beyond the immediate cessation order, the decision establishes ongoing verification requirements and deletion obligations if improper cookie data processing continues.

The four-week deadline for Microsoft contrasts with ten-week periods granted to educational institutions, reflecting different compliance challenges. Microsoft controls technical systems enabling immediate tracking cessation, while schools must coordinate with Microsoft to access necessary information for transparency obligations.

The decision permits enforcement action if Microsoft fails to comply within the specified deadline. Austrian data protection law authorizes financial penalties and other corrective measures for non-compliance with regulatory orders.

Similar enforcement patterns have emerged across European jurisdictions. Dutch authorities fined retailers for cookie violations, while French regulators imposed substantial penalties on publishers for tracking without consent.

The Austrian case demonstrates regulatory willingness to confront major technology vendors over practices affecting vulnerable populations. Enforcement targeting educational technology reflects growing concern about commercial data collection from minors through institutional deployments.

Broader context for children's data protection

The ruling arrives as German authorities call for enhanced GDPR protections specifically addressing children's data. The November 2025 resolution from German data protection authorities identified ten GDPR provisions requiring modification to adequately protect minors from commercial data processing.

These proposals emphasize children's structural disadvantages in understanding long-term consequences of data processing decisions. Current regulations prove insufficient despite acknowledging children's vulnerability as a special category requiring enhanced protection.

Educational technology vendors occupy privileged positions where institutions mandate software use, eliminating meaningful choice for students and families. This captive user base creates particular obligations for privacy protection that the Austrian decision now enforces.

Microsoft's approach - implementing tracking by default while claiming schools control data processing - exemplifies the responsibility shifting that regulatory authorities increasingly reject. The decision establishes that technology vendors cannot escape accountability through contractual arrangements that assign formal responsibility to institutional customers lacking actual control.

Timeline

Summary

Who: The Austrian Data Protection Authority ruled against Microsoft Corporation following complaints by noyb - European Center for Digital Rights on behalf of a minor student using Microsoft 365 Education in an Austrian school. The decision also addresses responsibilities of the school and Austrian Ministry of Education as joint data controllers.

What: Microsoft illegally installed and operated tracking cookies on student devices without obtaining required consent, violating GDPR Articles 5, 6 and 12-15. The cookies analyzed user behavior, collected browser data and served advertising purposes according to Microsoft's documentation. The authority ordered Microsoft to cease tracking within four weeks and delete improperly collected data.

When: The violations occurred during the 2023 school year, with access requests submitted August-October 2023. The Austrian Data Protection Authority issued its decision on January 27, 2026, following complaints filed in June 2024. This represents the second enforcement action after an October 2025 ruling on access rights violations.

Where: The case originated in Vienna, Austria, affecting Microsoft 365 Education deployments in Austrian schools. The precedent applies throughout European Economic Area member states under GDPR consistency mechanisms, potentially impacting millions of students using Microsoft educational software across European institutions.

Why: The authority acted to protect children's privacy rights from commercial tracking in educational settings. Schools and education ministries lacked knowledge of tracking mechanisms, while Microsoft claimed schools controlled data processing despite operating tracking systems for Microsoft's own business purposes including advertising support and behavioral analysis.

Share this article
The link has been copied!