Spanish School District Sanctioned Over Microsoft Student Data Deal

Spain’s Andalusia region is sanctioned for sharing data of 525,000 students with Microsoft, highlighting growing global debates over school data privacy.

Tuesday, July 7, 2026

Key Takeaways

  • The regional government of Andalusia, Spain, was sanctioned for transferring personal data of 525,000 students and 74,000 teachers to Microsoft in exchange for free cloud software licenses.
  • European regulators are stepping up enforcement. Denmark banned Google Workspace in one municipality, and France banned free versions of Microsoft Office 365 and Google Workspace in schools.
  • US cloud software services introduce legal access risks under the CLOUD Act. This law allows US federal authorities to compel companies to produce data stored even on foreign servers.
  • Standard commercial licensing often permits tech vendors to use student data to train artificial intelligence models. In contrast, educational licenses typically enforce stricter regional data processing limits.

A Spanish regional government is under fire for giving Microsoft access to the personal data of over half a million students in exchange for free educational software. This security breach highlights a growing global battle over how schools protect children's private details. As districts increasingly rely on big tech platforms, parents and educators are left asking where the boundary lies between student privacy and classroom convenience.

What Happened

The Council for Transparency and Data Protection of Andalusia formally sanctioned the Andalusian regional government for exposing the personal information of 525,000 minors and 74,000 teachers, as reported by RUSSPAIN. Over the past six years, the government handed over this sensitive data in exchange for free access to Microsoft's Teams, OneDrive, and Office applications. The investigation revealed that the regional authority committed six data protection infractions, including transferring personal data to third countries without adequate safety guarantees and failing to obtain consent from families. This is not the region's first privacy failure. A similar deal with Google in 2020 exposed the data of 738,000 minors. The council opted not to issue a financial fine to avoid disrupting schools, but ordered the government to reform its partnership before their contract expires in November.

The Bigger Picture

The issue of "data sovereignty"—who owns and controls student information—is a growing headache for school administrators. When schools use cloud-based programs, student information is regularly stored on physical servers owned by US-based corporations. According to data privacy experts at Edsby, this setup creates legal access risks under laws like the US CLOUD Act, which allows US federal authorities to compel companies to hand over data stored in foreign countries. Standard commercial contracts also allow companies to use collected data to train artificial intelligence models, creating commercial exploitation risks.

Because of these privacy threats, European regulators are pushing back. Denmark's Data Protection Authority banned Google Workspace and Chromebooks in one municipality due to illegal international data transfers. France took a step further, ordering schools to stop using free versions of Microsoft Office 365 and Google Workspace because they violate European data standards. Even simple acts, like an offshore database engineer accessing school cloud systems to fix a bug, count as international data transfers that require strict contractual safeguards under the General Data Protection Regulation (GDPR).

What This Means for Families

When school districts trade student data for free software licenses, families lose control over where their children's details end up. The Andalusian case showed that everyday schoolwork—such as kids writing essays about their political beliefs or uploading health records to school clouds—leads to the processing of highly personal information without parental consent. As we previously reported regarding a major lawsuit against i-Ready, invisible trackers can follow a child's learning habits, behavior, and physical movements, building a digital profile of them before they ever reach adulthood.

There is a distinct difference in privacy controls depending on the version of software a school purchases. For instance, Microsoft's educational licenses strictly process data in local regions and delete prompt histories after 30 days, whereas standard commercial accounts often retain student data longer and use it for system training. Beyond digital safety, there is also a physical cost to the rapid digitalization of schools. Research from Family and Media warns that over-reliance on digital tools can lead to developmental problems, poor posture, and difficulty managing screen time, prompting some schools to re-emphasize traditional learning tools.

What You Can Do

  • Ask about software licenses: Ask your child's school administration if they are using educational versions of platforms like Microsoft Teams or Google Workspace, rather than basic commercial or free versions, to ensure stricter privacy controls are active.
  • Request a copy of the school's privacy policy: Check how your district manages student data, whether they perform data impact assessments, and if student data is stored locally or transferred internationally.
  • Limit optional personal disclosures: Advise your children to keep highly sensitive information, such as health updates, political opinions, or personal journals, out of school-provided cloud drives and text chats.
Share: