Privacy rights NGO, NOYB has filed two formal complaints with the data protection authority in Austria, alleging that Microsoft’s ‘365 Education’ services infringe upon children’s data privacy rights.

NOYB claims that when students attempt to enable their GDPR rights, Microsoft avoids responsibility by labelling schools as the “controllers” of the students’ data. This, according to NOYB, is a ploy by the tech giant to shift its legal obligations onto educational institutions which lack the control and resources to manage affairs effectively.

“Schools simply do not have control over these systems,” NOYB stated. The not-for-profit organisation led by lawyer, Max Schrems, argues that the scenario leaves schools unable to fulfil data access requests, as they do not possess the necessary information themselves. Many access requests sent to Microsoft do not receive a response, leaving students and their parents in the dark about the extent of data collection.

“Microsoft holds all the key information about data processing in its software but is pointing the finger at schools when it comes to exercising rights. Schools have no way of complying with the transparency and information obligations,” said NYOB’s Data Protection Officer, Marrtje de Graaf.

It’s a methodology that can lead to software vendors dumping all GDPR obligations onto the shoulders of educational institutions, de Graaf explained.

NOYB has further criticised Microsoft for not being transparent about its data processing practices, claiming that even legal experts struggle to decipher the company’s data usage policies.

“It is almost impossible for children or their parents to uncover the extent of Microsoft’s data collection,” added de Graaf.

Know the risks

NYOB’s allegations illustrate just how vital it is that organisations prioritise ethics, transparency and accountability in all aspects of their information handling practices. The issue takes on even greater importance and complexity as companies adopt emerging technologies.

The issues are examined in depth this October at #RISK London, where industry leaders explore the importance of regulatory compliance, ethical responsibility, and user-centric practices in data processing standards in the AI era.

#RISK London 2024

We’re excited to share that #RISK is back in London for its third consecutive year, ready to equip attendees like you with the knowledge, insights, and connections crucial for navigating today’s dynamic risk landscape.

#RISK London 2024, ExCel

#RISK London 2024, 9-10 October, ExCel - GRC. AI. Privacy. Security. RegTech

Key #RISK London sessions include:

Beyond Compliance: Building a Culture of Privacy by Design

Location: PrivSec Theatre

This session will delve into the concept of “Privacy by Design,” a proactive approach that integrates privacy considerations into every stage of product development and data processing.

Experts will explore strategies for fostering a culture of privacy within organisations, from employee awareness training to implementing data minimisation practices.

The Evolving Regulatory Landscape: Staying Compliant in a Complex World

Location: Risk Theatre

This session provides insights into the rapidly evolving regulatory landscape impacting risk management practices.

Experts will discuss regulations like GDPR, CCPA, and DORA, outlining their implications for businesses and providing strategies for achieving compliance.


These are just two of the exclusive sessions taking place at #RISK London this October

Click here to see the full agenda

Discover more at #RISK London

Taking place October 9 and 10 at London’s ExCel, #RISK London brings high-profile subject-matter experts together for a series of keynotes, engaging panel debates and presentations across four separate theatres:

• GRC Theatre

• RegTech Theatre

• PrivSec Theatre

• Risk Theatre 

Each theatre is dedicated to examining the challenges and opportunities that businesses face in times of unprecedented change.

By breaking down silos and aligning systems and workflows, organisations can streamline decision-making, improve efficiencies, and enhance the customer experience.

Attendees will be able to learn how to mitigate risks, reduce compliance breaches, and drive performance.

“#RISK is such an important event as it looks at the broad perspective. Risks are now more interconnected and the risk environment is bigger than ever before.”Michael Rasmussen, GRC Analyst & Pundit, GRC 20/20 Research

Click here to register for #RISK London today!