London: Privacy rights organisation NOYB on Tuesday lodged two complaints with Austria’s data protection authority against tech giant Microsoft for allegedly violating children’s data protection rights.

The non-profit organisation said that Microsoft’s ‘365 Education’ services violate children’s data protection rights. When pupils wanted to exercise their General Data Protection Regulation (GDPR) rights, Microsoft said schools were the “controller” for their data.

“However, the schools have no control over the systems,” said Noyb. Microsoft, alleged the complaint, is trying to contractually dump most of its legal responsibilities under the GDPR on schools that provide Microsoft 365 Education services to their pupils or students.

“This means, for example, that access requests to Microsoft go unanswered – while schools have no realistic way of complying with such requests because they don’t hold the necessary data,” the non-profit mentioned. 

Maartje de Graaf, data protection lawyer at noyb, said that this take-it-or-leave-it approach by software vendors such as Microsoft is shifting all GDPR responsibilities to schools. “Microsoft holds all the key information about data processing in its software but is pointing the finger at schools when it comes to exercising rights. Schools have no way of complying with the transparency and information obligations,” de Graaf said.

Microsoft provides such “vague information” that even a qualified lawyer can’t fully understand how the company processes personal data in Microsoft 365 Education. “It is almost impossible for children or their parents to uncover the extent of Microsoft’s data collection,” said de Graaf.