The Austrian data protection authority has ruled that Microsoft illegally installed tracking cookies on a student’s device through its 365 Education platform.
The Ruling
Austria’s Data Protection Authority (DSB) issued a decision on 21 January 2026 finding that Microsoft placed tracking cookies on a minor’s device without obtaining valid consent under GDPR.
The cookies in question – including MC1, FPC, MSFPC, MicrosoftApplicationsTelemetryDeviceId, and ai-session – analyse user behaviour, collect browser data, and are used for advertising purposes. The DSB concluded these were not technically required to deliver the education service. Microsoft has four weeks to stop using the tracking cookies.
Both the school involved and Austria’s Ministry of Education told the regulator they had no idea Microsoft 365 Education installed tracking cookies. This only came to light after privacy campaign group noyb filed complaints.
Microsoft argued that its EU subsidiary in Ireland handles Microsoft 365 products in Europe. The DSB rejected this and found that Microsoft US makes the relevant decisions – a notable finding given that US tech companies often claim Irish jurisdiction, where enforcement of EU data protection law has been slower.
Not an Isolated Case
This is the second successful complaint noyb has brought against Microsoft 365 Education in Austria. In October 2025, the DSB ruled that Microsoft violated GDPR’s right of access provisions under Article 15, ordering the company to explain vague terms in its privacy documentation.
The Austrian ruling also follows long-standing concerns elsewhere in Europe. Germany’s Conference of Independent Data Protection Authorities (DSK) concluded in November 2022 that Microsoft 365 cannot be used in compliance with GDPR. The DSK found that Microsoft does not fully disclose which data processing operations take place, and does not clarify which operations serve Microsoft’s own purposes versus those performed for customers. Following this assessment, several German states banned Microsoft 365 in schools.
France has also restricted Microsoft Office 365 and Google Workspace cloud services in schools, and prohibited cloud hosting of data on these platforms in government ministries, over similar privacy concerns.
The Problem for Schools
Microsoft 365 Education is used by millions of students and teachers across Europe. Because Microsoft uses uniform terms and privacy documentation across the EU, noyb argues that children in every member state face the same exposure.
Schools face a difficult position. Microsoft shifts data protection compliance obligations onto educational institutions that have little practical control over how student data is processed. Most schools lack the bargaining power to negotiate terms, leaving them in what noyb describes as a ‘take it or leave it’ situation.
Felix Mikolasch, data protection lawyer at noyb, said in a statement: ‘Tracking minors clearly is not privacy-friendly. It seems like Microsoft does not care much about privacy, unless it is for their marketing and PR statements.’
Max Schrems, founder of noyb, added in a statement: ‘Companies and authorities in the EU should use compliant software. Microsoft has once again failed to comply with the law.’
Microsoft’s Response
A Microsoft spokesperson said the company is reviewing the decision. ‘Microsoft 365 for Education meets all required data protection standards and institutions in the education sector can continue to use it in compliance with GDPR,’ the spokesperson stated.
Sources:
