Austrian DPA Rules Against Microsoft Tracking

01/31/2026
Child uses a computer
  • Austria’s data protection authority has ruled that Microsoft unlawfully placed tracking cookies on a student’s device through Microsoft 365 Education.
  • The decision marks the second major win for privacy group noyb in its cases against the platform.
  • The ruling may have broader implications for organisations across Europe that rely on Microsoft 365.

Second ruling confirms unlawful tracking

The Austrian data protection authority (DSB) has determined that Microsoft installed tracking cookies on a pupil’s device without consent. These cookies, according to Microsoft’s own documentation, analyse user behaviour, collect browser data and support advertising‑related functions. The authority has ordered Microsoft to stop tracking the complainant within four weeks. Both the school involved and the Austrian Ministry of Education stated they were unaware that such tracking was taking place.

This decision follows a previous ruling in October 2025 concerning Microsoft 365 Education. In that earlier case, the DSB found that Microsoft had violated the right of access under Article 15 of the GDPR. The new ruling addresses the second complaint filed by noyb in June 2024, which focused specifically on unlawful tracking cookies. Together, the two decisions highlight ongoing concerns about how Microsoft handles personal data in educational environments.

Privacy advocates argue that tracking minors is particularly problematic. Felix Mikolasch, a data protection lawyer at noyb, criticised Microsoft’s practices and questioned the company’s commitment to privacy. His comments reflect broader frustration among privacy groups regarding the use of behavioural data in educational tools. The case underscores the heightened sensitivity around children’s data under EU law.

Jurisdictional arguments rejected by regulators

During the proceedings, Microsoft attempted to argue that its Irish subsidiary is responsible for Microsoft 365 products in Europe. The DSB rejected this claim and concluded that Microsoft’s U.S. entity makes the relevant decisions. This finding aligns with concerns that some large technology companies use Irish jurisdiction to avoid stricter enforcement elsewhere in the EU. Regulators have long noted that the Irish Data Protection Commission has been slow to act on major GDPR cases.

The ruling therefore places responsibility directly on Microsoft’s U.S. operations. This outcome may influence how future cases involving multinational technology firms are assessed. It also raises questions about the effectiveness of the “main establishment” principle under the GDPR. The decision could encourage other EU regulators to take a more assertive approach when dealing with cross‑border data processing.

Microsoft 365 Education is widely used across European schools. Millions of students and teachers rely on the platform for daily learning activities. The DSB’s findings suggest that organisations using Microsoft 365 may need to reassess their compliance obligations. German data protection authorities have already expressed concerns that Microsoft 365 does not fully meet GDPR requirements.

Potential consequences for Microsoft 365 users

The ruling may have far‑reaching implications for public institutions and private companies using Microsoft 365. Tracking users without consent is incompatible with EU data protection rules, regardless of the context in which the software is deployed. Organisations that rely on the platform may face increased scrutiny from regulators. They may also need to consider alternative tools if compliance cannot be ensured.

Max Schrems, chair of noyb, emphasised that EU organisations should use software that meets legal standards. He argued that Microsoft has repeatedly failed to comply with GDPR obligations. His comments reflect ongoing tensions between privacy advocates and major technology providers. The case adds to a growing list of regulatory challenges facing cloud‑based productivity platforms.

The DSB’s decision may prompt further investigations in other EU member states. Regulators across Europe have been examining the data practices of large software providers. This ruling could accelerate those efforts and lead to additional enforcement actions. The outcome may also influence future procurement decisions by public authorities.

Microsoft 365 has been the subject of multiple GDPR‑related inquiries in recent years. Several European governments have raised concerns about telemetry data, cross‑border transfers and the transparency of Microsoft’s processing activities. Privacy groups argue that educational deployments require especially strict safeguards due to the vulnerability of minors. The latest ruling adds momentum to ongoing debates about the suitability of U.S. cloud services in sensitive public‑sector environments.

 

More Stories

Pasquale Stanzione

Italian Privacy Regulator Faces Corruption Inquiry

01/16/2026
Tiktok

TikTok Faces Complaints Over Cross‑App Tracking

12/19/2025
Lip Bu Tan, Intel

Intel CEO’s Deals Raise Conflict Questions

12/14/2025

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.

You may have missed

Apple

Apple Sets New Quarterly Records

02/03/2026
Samsung OLED S95f

Samsung Expands G‑SYNC Support Across 2026 Displays

02/03/2026
school classroom

Rethinking Education for a Critical Future

02/03/2026
Telia

Telia and Lyse Form Joint Network Venture

02/03/2026
Yi-Ling Liu

Stories From China’s Digital Margins

02/02/2026