Your Child's Data Is Not Microsoft's Lesson

If you have a child in a Luxembourg school, they have a Microsoft 365 account. Not because you chose it. Not because the school asked you. Because the Ministry of Education decided, and your consent was never part of the equation. Every student, every teacher, every staff member, roughly 105,000 people, are routed through a system operated by a company that the European Data Protection Supervisor has already found in violation of data protection law.[1]

When a parent objects, the answer is always some version of "it is for the benefit of the child." Digital skills are important. Collaboration tools are important. The modern world demands it. These things are true. But they do not answer the question the parent is actually asking, which is: why this company, why this product, and why do I have no say?

The machine

Luxembourg's Centre de Gestion Informatique de l'Éducation, or CGIE, runs the digital infrastructure for the entire national education system. Their identity platform, eduConnect, creates an account for every student. By default, that account comes with access to Microsoft 365 and the eduWiFi network. There is no opt-out. There is no alternative productivity suite. There is no LibreOffice, no Nextcloud, no sovereign cloud option. Just Microsoft.[2]

The scale is vast. The CGIE's own figures: 44,057 secondary students, 48,260 primary students, and 13,000 teachers and administrative staff. Over 39,000 Teams channels. Approximately 280 terabytes of data stored in the cloud. This is not a pilot program or an optional tool. It is the infrastructure itself.

The one2one program goes further. Secondary students receive iPads that require Apple ID creation, another data transfer to another US corporation. In 2021, Déi Lénk MP David Wagner filed a parliamentary question asking exactly what data flows to Apple and Microsoft, citing the CJEU's Schrems II ruling and the EU Parliament's own 2014 resolution calling for suspension of data flows to companies implicated in mass surveillance. The Ministry's response was, essentially, that they had a contract and the contract said everything was fine.[3]

What Microsoft actually does with the data

When a student in Vienna exercised her right of access under GDPR Article 15, asking Microsoft what data it held about her, Microsoft referred her to her school. The school could not answer. Neither the school nor the Austrian Ministry of Education knew what Microsoft was doing with student data, because Microsoft had not told them.[4]

What noyb, Max Schrems's digital rights organization, discovered when they filed complaints in June 2024 was worse. Microsoft 365 Education was installing tracking cookies on students' computers without consent. These cookies analyzed user behavior, collected browser data, and were used for advertising purposes. Neither the schools nor the ministry knew about this tracking. When the Austrian Data Protection Authority investigated, it found that Microsoft was processing student data for what it called "business modelling" and "energy efficiency," terms opaque enough that the authority ordered Microsoft to explain in clear language whether personal data had been passed to LinkedIn, OpenAI, or the advertising company Xandr.[5]

This is not a hypothetical risk. This is documented, investigated, and now formally found illegal by a national data protection authority.

The dominoes falling

In November 2022, the Conference of German Data Protection Authorities concluded that Microsoft 365 could not be used in a GDPR-compliant manner. They could not find a way to configure it that would satisfy the law.[6]

In March 2024, the European Data Protection Supervisor, the regulator responsible for EU institutions themselves, found that even the European Commission's use of Microsoft 365 violated data protection rules. The Commission, one of the most powerful institutions in Europe, with dedicated legal teams and negotiating leverage, could not make Microsoft 365 compliant. Data flowed to 75 envisaged transfer recipients, including countries without adequacy decisions like China, India, Brazil, and the UAE. The Commission's own DPIA was found to be inadequate. Neither the Commission nor Microsoft had a clear understanding of the data flows.[7]

In October 2025, the Austrian Data Protection Authority issued its landmark decision. Microsoft 365 Education illegally tracked students, violated their right of access, and could not justify its data processing. The authority ordered deletion of data collected through illegal tracking cookies. It found that Microsoft had tried to shift all responsibility to schools and ministries, an approach it rejected. "It is almost impossible for schools to inform students, parents and teachers about what is happening with their data," said noyb lawyer Felix Mikolasch.[8]

In April 2025, Finland's Supreme Administrative Court ruled that while schools can use cloud tools like Google Workspace under a legal obligation basis, each individual service must be assessed separately for necessity and proportionality. Blanket approval of an entire platform is not acceptable. The court explicitly rejected the "all or nothing" approach that Luxembourg's CGIE takes with Microsoft 365.[9]

Luxembourg's own CNPD issued a decision in January 2025 related to Microsoft data processing (Decision 15/2025). The details are redacted, but the fact that the national data protection authority is actively scrutinizing Microsoft 365 in an education context is significant.[10]

The law is on your side

Under GDPR Article 21, you have the right to object to the processing of your child's data, including when it is based on a public task. The controller, in this case the Ministry of Education, can only override your objection by demonstrating "compelling legitimate grounds" that override your interests, rights, and freedoms.[11]

Luxembourg's own CNPD confirms this on their website: you can object, and the organization can only continue processing if it provides legitimate grounds. The "benefit of the child" argument does not automatically win. The authority must prove that this specific processing, by this specific company, under these specific conditions, is necessary and proportionate. Given the Austrian DSB's finding that even the ministry itself did not know what Microsoft was doing with student data, proving compelling legitimate grounds is a very tall order.

GDPR Article 8 provides heightened protection for children's data. Recital 38 explicitly states that children merit specific protection. The law recognizes that a child's privacy is part of their best interests. A data protection violation cannot be "for the benefit of the child" when the child's benefit includes the protection of their personal data.

The proportionality argument is also decisive. If open-source alternatives exist, and they do, LibreOffice, Nextcloud, sovereign cloud infrastructure, then the least intrusive means should be preferred. The Ministry chose Microsoft for procurement convenience, not pedagogical necessity. That choice has legal consequences.

The "benefit of the child" falls apart

The Ministry might argue that digital skills are essential for children and Microsoft 365 provides them. This argument has three problems.

First, digital literacy and Microsoft literacy are not the same thing. Teaching a child to use Word does not teach them to understand technology. Teaching them to use Teams does not teach them to collaborate. These are brand-specific skills, not transferable competencies.

Second, even if Microsoft 365 provides educational value, that value must be weighed against the cost. The cost here is the transfer of a child's educational data, including their work product, their communications, their attendance records, and their behavioral patterns, to a company that the European Commission's own data protection supervisor has found non-compliant, that has been caught tracking students without consent, and that processes data for purposes including "business modelling" and connections to LinkedIn, OpenAI, and advertising platforms.

Third, the argument assumes no alternative exists. It does. Schools in other countries use open-source solutions. France's ENT (Espace Numérique de Travail) offers alternatives. The French data protection authority, CNIL, has issued guidance on privacy-respecting educational tools. Germany's DSK conclusion that Microsoft 365 cannot be used compliantly implies that alternatives must be found. Luxembourg is not trapped by Microsoft. It has chosen to be.

What you can actually do

Step one: File a formal objection. Write to your child's school and the CGIE invoking GDPR Articles 13, 15, 21, and 8. Request full disclosure of what data Microsoft processes on your child, which countries it is transferred to, and what the legal basis is for mandating a specific US corporation's product. Request the results of any DPIA that has been conducted. If they cannot answer, and based on the Austrian findings they likely cannot, this strengthens your position.

Step two: File a complaint with the CNPD. The CNPD is legally obligated to investigate. Luxembourg's data protection authority has already shown it is scrutinizing this issue (Decision 15/2025). The Austrian precedent gives them a clear roadmap. The German findings give them supporting evidence. The EDPS decision against the European Commission gives them institutional backing. This is free and potentially more effective than a lawsuit.

Step three: Contact noyb. Max Schrems's organization filed complaints against Microsoft 365 Education across Europe in June 2024, including in Luxembourg (case C079-01). They are actively looking for affected individuals and have already won the Austrian case. Your complaint adds weight to an ongoing effort.

Step four: Judicial action if needed. Under GDPR Article 79, you have the right to an effective judicial remedy. This is the most expensive and slowest path, but the legal precedent is strong and growing. A Luxembourg court would need to consider the Austrian DSB decision, the German DSK findings, the EDPS decision, and the Finnish KHO ruling, all of which point in the same direction.

The bigger picture

This is not a fringe concern. The European Parliament called for suspension of data flows to companies implicated in mass surveillance in 2014. The CJEU invalidated the Privacy Shield in 2020. The EU's own data protection supervisor found the EU Commission's use of Microsoft 365 illegal in 2024. Austria's DSB found Microsoft 365 Education illegally tracks children in 2025. Germany's data protection authorities concluded Microsoft 365 cannot be used compliantly. Finland's highest court said cloud tools in education must be individually justified, not imposed as a package.

Luxembourg, meanwhile, has built its entire educational digital infrastructure on a product that multiple European regulators have found to violate the law. Not a different version of the product. Not a misconfigured instance. The same product, under the same contract, with the same data flows, that has been found illegal in Austria, non-compliant in Germany, and inadequate even for the European Commission.

Every student in Luxembourg is being tracked by a system that regulators have found to be illegally processing children's data. Every parent who objects is told it is for the benefit of the child. The law says the opposite. The regulators say the opposite. The evidence says the opposite. It is time for Luxembourg to listen.