French authorities serve notice to Microsoft for Windows 10 privacy failings

Strict online privacy laws in the EU continue to bedevil American tech companies. Latest to catch flak is Microsoft, over a handful of objections from a French data protection agency.

By Ed Bott for The Ed Bott Report | July 20, 2016 — 19:57 GMT (12:57 PDT) | Topic: Windows 10

Microsoft loses lawsuit over unwanted  Windows 10 upgrade

I wonder how much our data is worth in the US? Now I see that want to charge us monthly fees for a OS most do not want.

The French National Data Protection Commission (CNIL) issued a formal notice against Microsoft today, ordering that the company “stop collecting excessive data and tracking browsing by users without their consent.”

The complaint also demands that “Microsoft take satisfactory measures to ensure the security and confidentiality of user data.”

Is Windows 10 telemetry a threat to your personal privacy?

Microsoft has built an entirely new telemetry system for its ‘Windows as a Service’ engineering model. In Windows 10, you can dial data collection back almost to zero, but you can’t turn it off completely. Here’s why.

CNIL based its complaint on seven investigations it conducted between April and June of this year, as well as interviews with Microsoft representatives to ensure that the company was following the French Data Protection Act.

The CNIL notice accuses Microsoft of the following violations:

Irrelevant or excessive data collected The CNIL found that “collecting diagnostic and usage data via its telemetry service” was acceptable, but found that the default Windows 10 settings, which collect additional information, go too far. The complaint says collecting “information … on all the apps downloaded and installed on the system by a user and the time spent on each one” is “excessive.”

A lack of security This complaint says the option to secure a PC with a four-digit PIN is insecure but it does not limit the number of attempts to enter the PIN.

Lack of individual consent According to this allegation, Microsoft’s advertising ID enables Windows apps and other parties’ apps to monitor browsing and offer targeted ads without proper consent.

Cookies The agency complains that Microsoft puts cookies on users’ websites without sufficient consent.

Data transfer outside the EU CNIL says data from French Windows users is being transferred to the United States on a “safe harbor” basis, a practice that should have stopped after a decision issued by the Court of Justice of the European Union on 6th October 2015.

This isn’t the first big American tech company to land in CNIL’s crosshairs. Facebook faced a similar complaint in February of this year, and Google received its own complaint in 2013, with another “compliance package” proposed in 2014.

The CNIL public notice stresses “formal notices are not sanctions and no further action will be taken if the company complies with the Act within the specified timescale, in which case the notice proceedings will be closed and this decision will also be made public.”

The complaint gives Microsoft three months to comply.

ZDNet has asked Microsoft for comment and will update this post as needed.

Comments are closed.

%d bloggers like this: