France accuses Microsoft of gathering ‘excessive data’ through Windows 10

21 Jul 2016

France's Data Protection chair wants users to be given the choice about what data is collected about them

France’s National Data Protection Commission (CNIL) has issued a formal notice against Microsoft, ordering it to stop collecting “excessive data” from Windows 10 PCs.

The Chair of the National Data Protection Commission, Isabelle Falque-Pierrotin, has given Microsoft three months to make changes.

The formal notice said that, following the launch of Windows 10 in July 2015, the CNIL was alerted by the media and political parties to the possibility that Microsoft was collecting excessive personal data.

‘The company is collecting excessive data, as these data are not necessary for the operation of the service’

After carrying out several investigations and questioning Microsoft about its privacy policy, the CNIL claims it has discovered myriad failures.

Policy failures

“The CNIL found that the company was collecting diagnostic and usage data via its telemetry service, which uses such data, among other things, to identify problems and to improve products,” CNIL said.

“To this purpose, Microsoft Corporation processes, for instance, Windows app and Windows Store usage data, providing information, among other things, on all the apps downloaded and installed on the system by a user and the time spent on each one.

“Therefore, the company is collecting excessive data, as these data are not necessary for the operation of the service.”

Specifically, the CNIL said that Microsoft privacy policies are failing in a number of areas, including: security (only a four-character PIN to authenticate online services); lack of individual consent (an advertising ID is activated by default when Windows 10 is installed); no option to block cookies; and data is being transferred outside the EU on a Safe Harbour basis.

On the latter point, the CNIL said: “The company is transferring its account holders’ personal data to the United States on a ‘Safe Harbour’ basis, but this has not been possible since the decision issued by the Court of Justice of the European Union on 6 October 2015.”

The CNIL has issued a formal notice to Microsoft to comply with the French Data Protection Act within three months.

“The purpose of the notice is not to prohibit any advertising on the company’s services but, rather, to enable users to make their choice freely, having been properly informed of their rights.”

The formal notice is not an actual sanction, but the CNIL warned further action will be taken if Microsoft fails to comply with the Act, and an internal investigator could be appointed before sanctions are levelled at the software giant.

Eiffel Tower image via Shutterstock

John Kennedy is a journalist who served as editor of Silicon Republic for 17 years