France’s CNIL, which is tasked with protecting personal data and preserving individual liberties, this week accused Microsoft of violating the French Data Protection Act by using Windows 10 to “collect excessive user data without their consent.” Quelle horreur!
“The CNIL found that [Microsoft is] collecting diagnostic and usage data via its telemetry service, which uses such data, among other things, to identify problems and to improve products,” the CNIL explains. “To this purpose, Microsoft Corporation processes, for instance, Windows app and Windows Store usage data, providing information, among other things, on all the apps downloaded and installed on the system by a user and the time spent on each one. Therefore, the company is collecting excessive data, as these data are not necessary for the operation of the service.”
The CNIL further asserts that Windows 10 violates the French Data Protection Act by:
… not seeking individual consent. Windows 10 and various installed apps monitor user browsing and offer targeted advertising without obtaining users’ consent.
… being insecure. By letting users choose a four-digit PIN to authenticate themselves, Microsoft is opening up users to theft of their payment instruments. “The number of attempts to enter the PIN is not limited, which means that user data is not secure or confidential,” the CNIL says.
… offering no option to block tracking cookies. The CNIL charges that Microsoft “puts advertising cookies on users’ PCs without properly informing them of this in advance or enabling them to oppose this.”
… inappropriately using out-of-date EU “safe harbor” rules to transfer personal data to the U.S. Microsoft is transferring users’ personal data to the United States, but this is illegal given a decision issued by the Court of Justice of the European Union in October 2015, the CNIL says.
The CNIL has given Microsoft three months to reply to these accusations and to change Windows 10 and its policies to conform with French law. Should Microsoft not comply within the stated time, it will be officially sanctioned and could be fined up to 4 percent of its annual global revenues.
The CNIL has also alerted the software giant that other European Union member states are conducting similar investigations into Windows 10’s alleged privacy issues and could issue their own findings against the firm.
“The purpose of the notice is not to prohibit any advertising on the company’s services but, rather, to enable users to make their choice freely, having been properly informed of their rights,” the CNIL says. “It has been decided to make the formal notice public due to, among other reasons, the seriousness of the breaches and the number of individuals concerned (more than ten million Windows users on French territory).”
For its part, Microsoft says it will work to comply with French law.
“We will work closely with the CNIL over the next few months to understand the agency’s concerns fully and to work toward solutions that it will find acceptable,” Microsoft vice president and deputy general counsel David Heiner said.