Austria's data protection authority has ordered Microsoft to stop tracking schoolchildren through its education software, ruling the company illegally processed student data without consent - a stark demonstration of how Brussels' privacy rules give national regulators teeth to challenge Big Tech.
The January 21 decision, first reported by campaigners, found Microsoft lacked proper legal basis for using tracking cookies in software deployed across Austrian schools. The company has four weeks to remove "cookies that are not technically necessary" - those that analyze user behavior for advertising purposes.
Brussels decides more than you think - and Austrian schoolchildren just benefited from one of those decisions.
The ruling follows complaints filed in 2024 by noyb (None of Your Business), the Vienna-based privacy advocacy group led by lawyer Max Schrems, who has made a career of weaponizing the EU's General Data Protection Regulation (GDPR) against American tech giants.
The Austrian Data Protection Authority (DSB) concluded that Microsoft installed tracking cookies without obtaining meaningful consent from students, parents, or schools. These cookies weren't necessary for educational software to function - they existed to harvest behavioral data that could inform Microsoft's advertising and product development strategies.
For non-Europeans, a primer on GDPR: the 2018 regulation fundamentally shifted the burden of proof in data collection. Companies must demonstrate they have lawful basis to process personal information - typically explicit consent or contractual necessity. Crucially, consent must be freely given, meaning children in schools lack the autonomy to genuinely consent when educational institutions mandate certain software.
This creates a legal dilemma for tech companies. If schools require Microsoft products, students must use them. But mandatory use means students can't freely consent to data collection. And if there's no consent, there's no lawful basis for tracking cookies. GDPR, meet Big Tech. Big Tech, enjoy your €20 million fine - or 4% of global revenue, whichever is higher.
The Austrian case represents noyb's latest GDPR victory. The organization has filed hundreds of complaints across the EU, pressuring regulators to enforce rules that many initially treated as aspirational guidelines. Ireland - which hosts most US tech companies' European headquarters - faces particular criticism for sluggish enforcement, leading to several cases where stricter national authorities like Austria's have taken action instead.
For Microsoft, the ruling is both narrow and significant. Narrow because compliance in Austria costs little and the company can simply disable certain tracking features in school software. Significant because it establishes precedent that education software cannot serve as Trojan horse for data harvesting, even when schools choose to adopt it.
The broader implications extend beyond one American company. Google's education suite, Apple's classroom tools, and countless EdTech startups all rely on data collection to improve products and target services. If the Austrian interpretation spreads - that mandatory school software cannot legally track students because students cannot freely consent - the entire educational technology business model faces disruption across the EU's 27 member states.
Brussels decides more than you think - and sometimes, Brussels' decisions protect Austrian schoolchildren from having their learning behavior monetized by Redmond. Whether Microsoft complies fully or finds creative technical workarounds remains to be seen. But noyb has already moved on to the next target. There are always more American tech companies to sue, and GDPR provides the ammunition.
