Austrian watchdog orders Microsoft to stop tracking schoolchildren in Microsoft 365 Education
Austria’s data protection authority has ruled that Microsoft unlawfully used tracking cookies on a student’s device through its education software, marking a further regulatory setback for the company’s use of personal data in schools.
The Austrian Data Protection Authority (DSB) has ordered Microsoft to stop using tracking cookies in its Microsoft 365 Education service after finding that the company processed a pupil’s data without valid consent. The decision follows a complaint brought by the digital rights organisation noyb (None of Your Business) and gives Microsoft four weeks to comply.
According to the ruling, Microsoft placed cookies on the device of a minor that were capable of analysing user behaviour, collecting browser data, and supporting advertising-related purposes. The authority relied in part on Microsoft’s own documentation to assess the nature and function of the cookies. Both the school involved and the Austrian Ministry of Education stated during the proceedings that they were not aware that such tracking was taking place.
This is the second decision by the DSB against Microsoft arising from complaints filed by noyb in June 2024. In an earlier ruling issued in October 2025, the authority found that Microsoft had violated the right of access under Article 15 of the General Data Protection Regulation (GDPR). The latest case focused specifically on the legality of tracking technologies used in an educational context.
During the proceedings, Microsoft argued that responsibility for Microsoft 365 products in Europe lies with its Irish subsidiary. The DSB rejected this claim, concluding instead that key decisions about the service were taken by Microsoft in the United States. As a result, the Austrian authority asserted jurisdiction over the case.
Why does it matter?
Microsoft 365 Education is widely used across Europe by schools, teachers, and students. Data protection authorities in several EU member states, including Germany, have previously raised concerns about the compatibility of Microsoft 365 with GDPR requirements. The Austrian decision may therefore have implications beyond the individual case, particularly for public bodies and educational institutions relying on the software.
