French authorities tackle Microsoft’s “excessive” default data collection in Windows 10 : Updated with Microsoft Statement


20, 2016

privacy ms

Microsoft has taken a lot of flack for privacy issues in Windows 10, and now ZDNet reports that the French National Data Protection Commission (CNIL) issued a formal notice against Microsoft, listing a number of complaints which unlike some paranoid ranting we have heard from others seem reasonable and well researched.

The CNIL based their complaints on seven investigations it conducted between April and June 2016 and interviews with Microsoft representatives and list the following complaints:

  • Irrelevant or excessive data collected
    The CNIL found that “collecting diagnostic and usage data via its telemetry service” was acceptable, but found that the default Windows 10 settings, which collect additional information, go too far. The complaint says collecting “information … on all the apps downloaded and installed on the system by a user and the time spent on each one” is “excessive.”
  • A lack of security
    This complaint says the option to secure a PC with a four-digit PIN is insecure as it does not limit the number of attempts to enter the PIN (this seems to be wrong.)
  • Lack of individual consent
    According to this allegation, Microsoft’s advertising ID enables Windows apps and other parties’ apps to monitor browsing and offer targeted ads without proper consent.
  • Cookies
    The agency complains that Microsoft puts cookies on users’ websites without sufficient consent.
  • Data transfer outside the EU
    CNIL says data from French Windows users is being transferred to the United States on a “safe harbor” basis, a practice that should have stopped after a decision issued by the Court of Justice of the European Union on 6th October 2015.

From that list, the fact that the default data collection includes specific app usage information (something some people are quite sensitive about) does seem excessive and it seems some of Microsoft’s privacy practices do not meet modern standards for example being able to opt in and out individually to using Microsoft’s advertising ID on an app by app basis.

The CNIL has demanded Microsoft “stop collecting excessive data and tracking browsing by users without their consent,” and has given Microsoft 3 months to comply. At present it is not known what penalties Microsoft will face if they do not address the issues.

Update: David Heiner, vice president and deputy general counsel, Microsoft has now issued a response to the CNIL formal notice, saying:

“Earlier today Microsoft received a notice from the French data protection authority, the Commission Nationale de l’Informatique et des Libertés or CNIL, raising concerns about certain aspects of Windows 10.  The notice gives Microsoft three months to address the issues.

We built strong privacy protections into Windows 10, and we welcome feedback as we continually work to enhance those protections. We will work closely with the CNIL over the next few months to understand the agency’s concerns fully and to work toward solutions that it will find acceptable.

“The CNIL noted that the Safe Harbor framework is no longer valid for transferring data from European Union to the United States.  We fully understand the importance of establishing a sound legal framework for trans-Atlantic data transfers, and that is why Microsoft has been very supportive of the efforts on both side of the Atlantic that led to last week’s adoption of the Privacy Shield.

“As the European Commission observed, Microsoft’s January 2016 Privacy Statement states that the company adheres to the principles of the Safe Harbor Framework.  Microsoft has in fact continued to live up to all of its commitments under the Safe Harbor Framework, even as the European and U.S. representatives worked toward the new Privacy Shield.  As we state in our privacy statement, in addition to the Safe Harbor Framework we rely on a variety of legal mechanisms as the basis for transferring data from Europe, including standard contractual clauses, a data transfer mechanism established by the European Commission and approved by European data protection authorities, to cover data flows from the European Union to the United States.

“Microsoft will release an updated privacy statement next month, and that will say Microsoft intends to adopt the Privacy Shield.  We are working now toward meeting the requirements of the Privacy Shield.”

Microsoft expects to make changes to their privacy policy to address the complaint, but notes in the above statement that what they do is already legal due to another of other provisions and protections beyond just Safe Harbour, and that they take the privacy of their users very seriously already.

Do our readers agree with the CNIL that Microsoft has in some cases gone a bit too far, or is Europe once again being somewhat oversensitive regarding privacy? Let us know below.

{"email":"Email address invalid","url":"Website address invalid","required":"Required field missing"}