therecord.media Suzanne Smalley
October 10th, 2025
Austria's data protection authority on Wednesday ruled that Microsoft illegally tracked students using its education software by failing to give them access to their data and using cookies without consent.
The decision from Austria’s Datenschutzbehörde (DSB) came in response to a 2024 complaint lodged by the Austrian privacy advocacy group noyb, which accused the tech giant of violating Europe’s General Data Privacy Regulation for its handling of children’s data.
The complainant in the case, the father of a minor whose school uses the software, said he did not consent to the cookies and could not get information about how his child’s data was being used.
Microsoft 365 Education is used by school districts to manage technology, allow collaboration and store data in the cloud. It includes Office applications like Word, Excel, Outlook and PowerPoint as well as security tools and collaboration platforms like Teams.
"The decision highlights the lack of transparency in Microsoft 365 Education," Felix Mikolasch, a data protection lawyer at Noyb, said Friday in a prepared statement. "It is nearly impossible for schools to inform students, parents and teachers about what is happening with their data."
A spokesperson for Microsoft said in a prepared statement that the company will review the decision.
“Microsoft 365 for Education meets all required data protection standards and institutions in the education sector can continue to use it in compliance with GDPR,” the statement said.
The regulator has ordered Microsoft to give the complainant access to their data and to begin to explain more clearly how it uses data it collects.
cybernews.com
Paulina Okunytė - Journalist
Published: 29 September 2025
Last updated: 29 September 2025
An EU privacy watchdog has filed a complaint against an AI company for selling creepy “reputation reports” that scrape anyone's sensitive information online.
Noyb, a non-profit organization that enforces data protection and privacy rights in Europe, has filed a complaint against a Lithuania-based AI company.
According to the complaint, the company has been scraping social media data and forming reports that included personality traits, conversation tips, photos taken from internet sources, religious beliefs, alcohol consumption, toxic behaviour, negative press, and flagged people for “dangerous political content” or “sexual nudity.”
Whitebridge AI markets its “reputation reports” as a way to “find everything about you online.”
The company’s ads seem to target the people it profiles, using slogans like “this is kinda scary” and “check your own data.” However, anyone willing to pay for a report could get information about a profiled person without informing them.
“Whitebridge AI just has a very shady business model aimed at scaring people into paying for their own, unlawfully collected data. Under EU law, people have the right to access their own data for free,” said Lisa Steinfeld, data protection lawyer at noyb.
When complainants represented by the NGO asked to see their reports, they got nowhere until noyb bought the reports themselves.
According to the noyb representatives, who downloaded the reports, the outputs are largely of low quality and seem to be randomly generated AI texts based on “unlawfully scraped online data.”
Some of the complainant’s reports contained false warnings for “sexual nudity” and “dangerous political content,” which are considered specially protected sensitive data under Article 9 of the GDPR.
In its privacy notice, Whitebridge claims that scraping user data is legal thanks to its “freedom to conduct a business.”
The company claims to only process data from “publicly available sources.”
According to the noyb representative, most of this data is taken from social network pages that are not indexed or found on search engines. The law states that entering information on a social networking application does not constitute making it “manifestly public.”
Under GDPR, any individual can request information about their data and ask for removal. Both complainants that noyb represents filed an access request under Article 15 GDPR, but didn’t receive the desired response from Whitebridge.ai.
When the complainants asked for corrections, Whitebridge demanded a qualified electronic signature. Such a requirement is not found anywhere in EU law, states noyb.
The watchdog demands that Whitebridge comply with the complainants’ access requests and fix the false data in the reports on them.
“We also request the company to comply with its information obligations, to stop all illegal processing, and to notify the complainants of the outcome of a rectification process. Last but not least, we suggest that the authority impose a fine to prevent similar violations in the future,” wrote noyb in the statement.
Cybernews reached out to Whitebridge.ai for a comment, but a response is yet to be received. We will update the article when we receive it.
Microsoft's education-focused flavor of its cloud productivity suite, Microsoft 365 Education, is facing investigation in the European Union. Privacy
Today, the US government published an executive order, allegedly limiting US surveillance. This is a first statement by noyb.
