On January 21, 2026, Austria's Data Protection Authority (DSB) issued a ruling that should concern every school using Microsoft 365 Education: the company illegally installed tracking cookies on a student's device without valid consent.
This is the second time Microsoft has lost a GDPR case in Austria over its education software. And the details reveal a deeper problem: schools are being held responsible for privacy violations they don't even know are happening.
What Microsoft actually did
According to the Austrian regulator, Microsoft 365 Education installed cookies that:
- Analyze user behavior
- Collect browser-related data
- Are used for advertising and analytics purposes
These weren't technically necessary cookies required to deliver the education service. They were tracking cookies — and they were placed on a minor's device without any valid legal basis under Article 6 of the GDPR.
The Austrian authority was explicit: EU law requires explicit consent for non-essential cookies, especially when minors are involved. Microsoft had no such consent.
Schools didn't know
Here's the part that should worry educators: both the school and the Austrian Ministry of Education stated they were not aware of these tracking cookies before the privacy advocacy group noyb filed complaints.
Think about that. A school adopted Microsoft 365 Education — a product marketed specifically for educational use — and had no idea it was tracking students for advertising purposes. The ministry that oversees education didn't know either.
This isn't unusual. Large software vendors wield enormous market power. Schools accept standard contracts with little room for negotiation. The terms of service are dense, technical, and often incomprehensible even to IT professionals. Schools trust that "education" products are appropriate for educational settings.
That trust was misplaced.
Microsoft's defense — and why it failed
Microsoft tried two arguments, both rejected by the Austrian authority:
First, Microsoft claimed it wasn't the data controller — that it was merely processing data on behalf of schools, making the schools responsible. The DSB rejected this, noting that Microsoft makes the key decisions about product design and data processing, including the use of cookies. Microsoft Corporation in the United States, not the schools, decided to install tracking cookies.
Second, Microsoft tried to shift jurisdiction to Ireland, arguing that its Irish subsidiary should handle the case (Ireland is known for slower GDPR enforcement). The DSB dismissed this too, ruling that US-based Microsoft Corporation makes the relevant decisions.
Microsoft's response to the ruling? "Microsoft 365 for Education meets all required data protection standards." They're reviewing the decision.
This isn't the first time
In October 2025, the same Austrian authority ruled on a separate complaint against Microsoft 365 Education. That case found Microsoft violated the right of access under Article 15 of the GDPR — essentially, when a student asked what data Microsoft had about them, Microsoft couldn't (or wouldn't) fully answer.
German data protection authorities have already concluded that Microsoft 365 falls short of GDPR requirements.
Microsoft 365 Education is used by millions of students and teachers across Europe. If tracking users without consent is standard behavior, this isn't just an Austrian problem — it's a European one.
What this means for schools
Under GDPR, schools can be held responsible for the data processing that happens on their watch — even when they didn't know about it, even when they couldn't have negotiated different terms.
The Austrian ruling reprimanded both the school and the Ministry of Education for not informing students about the collection and disclosure of their personal data. In other words: ignorance isn't a defense.
This creates an impossible situation. Schools don't have the technical expertise to audit Microsoft's code. They can't read the cookies being set. They rely on vendors to be honest about what their software does.
When that trust breaks down, schools face legal exposure for violations they had no way to prevent.
The alternative: platforms that don't track
Not every platform operates like Microsoft. Some are built with privacy as a foundational principle rather than an afterthought.
At Simpleclass, we made deliberate choices:
No tracking cookies. We don't install cookies that analyze user behavior for advertising. Period. There's nothing to consent to because we're not doing it in the first place.
Minimal data collection. We collect only what's necessary to make the platform work: accounts, session schedules, and the video/audio needed for classes. We don't build behavioral profiles. We don't harvest data for "internal reporting and business modeling."
Server-side analytics only. We use privacy-respecting analytics to understand how our platform performs — not to track individual students. No personal data is shared with advertising networks.
We don't sell data. Your student data is yours. We're not monetizing it. We're not sharing it with third parties for their own purposes.
European company, European servers. Simpleclass is a Dutch company with servers in the Netherlands and France. We're not subject to the US CLOUD Act. Your data stays in the EU, under EU law.
Questions to ask your current platform
If you're running a school or tutoring institution, the Austria ruling should prompt some hard questions about your current video platform:
- What cookies does the platform set? Are they all technically necessary?
- Is user behavior being tracked for advertising or analytics purposes?
- Who is the actual data controller — you or the vendor?
- Can you get a clear, complete answer about what data is collected about your students?
- Where is the vendor incorporated? Are they subject to foreign data access laws?
If you can't get clear answers, that's a problem. As the Austrian case shows, "we didn't know" doesn't protect you from regulatory action.
Privacy isn't optional
Max Schrems, founder of noyb, summarized the ruling: "Companies and authorities in the EU should use compliant software. Microsoft has once again failed to comply with the law."
For schools, the message is clear: choosing a platform isn't just about features and price. It's about whether the vendor respects your students' privacy — and whether you can trust them to be honest about what they're doing with data.
Simpleclass exists because we believe tutoring institutions deserve better than being caught in the crossfire of Big Tech's privacy violations. We built a platform that does what schools need — breakout room monitoring, session recording, simple scheduling — without the surveillance that comes with enterprise software repurposed for education.
Your students aren't products. Their data shouldn't be either.