GDPR rights are being ignored. In practice, this leads to a situation where Microsoft is trying to contractually dump most of its legal responsibilities under the GDPR on schools that provide Microsoft 365 Education services to their pupils or students.
Trying to find out exactly what privacy policies or documents apply to the use of Microsoft 365 Education is an expedition in itself. There is a serious lack of transparency, forcing users and schools to navigate a maze of privacy policies, documents, terms and contracts that all seem to apply. The information provided in these documents is always slightly different, but consistently vague about what actually happens to children’s data when they use Microsoft 365 Education services.
Maartje de Graaf, data protection lawyer at noyb: “Microsoft provides such vague information that even a qualified lawyer can’t fully understand how the company processes personal data in Microsoft 365 Education. It is almost impossible for children or their parents to uncover the extent of Microsoft’s data collection.”
Felix Mikolasch, data protection lawyer at noyb: “Our analysis of the data flows is very worrying. Microsoft 365 Education appears to track users regardless of their age. This practice is likely to affect hundreds of thousands of pupils and students in the EU and EEA. Authorities should finally step up and effectively enforce the rights of minors.”
As the terms and conditions and the privacy documentation of Microsoft 365 Education are uniform for the EU/EEA, all children living in these countries are exposed to the same violations of their GDPR rights. Therefore, noyb also suggests that the authority should impose a fine on Microsoft.
Yes, it is a full time job and hard. That’s how MS is able to configure and sell it to so many different customers. For those without the capabilities there are more simple products. We should start taking legal action against AWS because you can implement things in a shitty way if you hire experts?
The issue is that Microsoft is marketing these as “easy” solutions (requiring less work and manpower than older on-prem options) for specific use cases (in this case education) where the defaults don’t match the requirements for said use case. It’s not easier, and it doesn’t meet the needs it is sold for out of the box.
I was only addressing your claim that it’s all documented and the implication that it was a simple matter of configuration.