Microsoft 'illegally' tracked students via 365 Education, says data watchdog An Austrian digital privacy group has claimed victory over Microsoft after the country's data protection regulator ruled the software giant "illegally" tracked students via its 365 Education platform and used their data. noyb said the ruling [PDF] by the Austrian Data Protection Authority also confirmed that Microsoft had …
"Microsoft 'illegally' tracked students via 365 Education, says data watchdog"
As Mr C of The Shamen said on the Ebeneezer Goode track, "Naughty, naughty, very naughty".
Seriously though, Microsoft is one of the worst offenders when it comes to data slurping and it ought now to step back from that in terms of less data collection and less detailed data collection and then it wouldn't fall foul of national data regulators.
If only the EU (and UK but fat chance there) just passed a law that said MS and all the rest of the big techies need to just stop bloody spying on everyone
You mean, like GDPR that (in essence) says you need permission to use someone's information - except for limited exceptions like where you need to in the course of executing a contract and so on.
And which is widely ignored, and MS will outright lie to you about being able to comply with it while using their systems.
This ruling is one more nail in the coffin, but I fear we need a lot more nails before this one dies.
@TVU - Thanks for the memories!
________________________________________________________
There's a guy in the place who's got a bittersweet face
And he goes by the name of Ebeneezer Goode
His friends call him 'Ezer and E is the main geezer
And E vibes up the place like no other man could
E's refined, E's sublime, E makes you feel fine
Though very much maligned and misunderstood
But if you know 'Ezer E's a real crowd pleaser
E's ever so good - he's Ebeneezer Goode
You can see that E's mischievous, mysterious and devious
________________________________________________________
For the rest of the lyrics, here.
Icon --> Shamen Fanboi.
The school is the data controller, Microsoft is the data processor. Both are recognised in GDPR and neither can shift the blame onto the other. The school can't answer questions how Microsoft internally treats the data that it processes, only Microsoft can. If Microsoft state they are GDPR complaint then the school can't be on the hook for Microsoft's lack of compliance.
"The school is the data controller, Microsoft is the data processor."
If Microsoft are making decisions around aspects of processing personal data then it is acting as a Data Controller. This is covered in GDPR Article 28 (10):
"10. Without prejudice to Articles 82, 83 and 84, if a processor infringes this Regulation by determining the purposes and means of processing, the processor shall be considered to be a controller in respect of that processing."
Makes no difference, even if MS is considered the data controller then they still can't shift responsiblity or direct complainants to the school.
I suspect they try and shift responsiblity onto the school precisely because if they answered requests about how they internally treat data they would clearly out themselves as both controller and processor.
"If Microsoft makes it impossible then maybe they shouldn't be using Microsoft products."
I see this as another example of entities choosing convenience at the cost of security. There's no good reason to have student applications interfacing with the internet. M$ could implement a LAN system so students can store their work, log into their accounts from any networked computer at the school and teachers can monitor those student accounts. A way can be found that lets students upload and download work so it can be done outside of school. Granted, it's easier if everything is on the internet, but M$ is going to be too tempted to snoop and so are others. It might also mean there are vulnerabilities to attacks from the outside either to slurp the data or damage those systems.
> It's how it should work. If Microsoft makes it impossible then maybe they shouldn't be using Microsoft products.
You almost got it right. If Microsoft is not able to grant EU citizens their rights according to EU law, then they shouldn't be allowed to sell their products in Europe.
Pretty much like child toys. If a company produces highly radioactive toys, then they are not allowed to sell them in the EU. It's not "well, it's the parents fault if they buy that. They should have made a toxicological analysis before buying the toy".
If Microsoft makes it impossible then maybe they shouldn't be using Microsoft products.
There are multiple problems, but the fundamental one is that MS lies about their systems. For decades, they've claimed you can use their 365 ecosystem and "all you need to do is set your data storage to be in the EU". Those who understand this have always understood that this claim was a steaming pile of manure - only now are the cracks starting to appear, like this ruling, the recent admission to the French, and the like.
But don't expect the authorities to actually do anything - by playing the long game, MS now have government sized customersvictims over a barrel. By repeatedly choosing convenience over safety, "the world" has allowed itself to be led down a path that now sees us stuck - to "not use MS" would now be excruciatingly painful and expensive for too many customersvictims and so they continue to choose convenience over long term safety.
"Microsoft 365 for Education meets all required data protection standards and institutions in the education sector can continue to use it in compliance with GDPR. We will review the Austrian data protection authority's decision and decide on next steps in due course."
Translation: "We're right. Maybe we'll ge round to reading this bit of paper that says we're not and then work out how to ignore it becuase we're right."
"for anyone under 900, it was a film about an internal combustion engined car" based on the set of books (3) of the same name.
I've local translations of the set, printed in 1968, same year as the movie came out. Original books came out in 1965.
OK ... I might be almost 900, but not quite yet.
Trouble is, penalising the schools would fail the Daily Wail test - think of the headlines the read tops could make from authorities taking valuable resources from schools so they can't pay for teaching.
Penalising MS will be too late and too little (yet again). Not least, because they are now in a position where they can effectively say "nice [government|department|organisation] you have there, pity if anything happened to it - because with a few exceptions, whole government assemblages are (virtually) irretrievably tied into the MS ecosystem without MASSIVE effort in developing/sponsoring an alternative. Like it or not (I don't, I absolutely ****ing hate it - I'm afflicted with it at work), M365 is the de-facto standard-that-isn't-a-standard-even-though-there's-an-ISO that ties it's victims into proprietary data storage and workflows.
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2025
