Windows 10

Published: July 22nd, 2016

It seems that while privacy concerns for Windows 10 have all but died down, one government is adamant about holding Microsoft accountable.

France’s Commission Nationale de l’Informatique et des Libertés (CNIL), or National Commission on Informatics and Liberty has ordered Microsoft to stop collecting “excessive data and tracking browsing by users without their consent.”

The French regulatory body is in charge of ensuring privacy laws are followed in data collection and use.

Despite widespread reports of the extent to which Microsoft collects data using Windows 10 – and how it circumvents user attempts to stop it – CNIL has carried out its own investigations to determine Microsoft’s infractions.

Through its investigations into both into the software as well as through interrogations of Microsoft’s employees, the commission found many instances that violated the French Data Protection Act.

They concluded that:

  • Microsoft collected “Irrelevant or excessive data” which is not necessary for the operation and improvement of its operating system. This includes tracking the amount of time spent in each application
  • There’s a “lack of security” for its online services such as the Microsoft account in that it allows for an unlimited number of PIN attempts
  • A “lack of individual consent” for its much-criticized advertising ID
  • That Microsoft puts advertising cookies on users’ terminals without consent or an option to opt out
  • That the company has violated the EU Court of Justice’s October 2015 “Safe harbour” ruling which states that transferring data out of France to the United States violates European citizens’ rights

“The purpose of the notice is not to prohibit any advertising on the company’s services but, rather, to enable users to make their choice freely, having been properly informed of their rights,” CNIL said in a statement.

The regulatory body decided to make the notice public due to the “seriousness of the breaches” as well as the number of people concerned, which it says amounts to more than ten million Windows users in French territory.

The regulatory body gave Microsoft three months to fall in line.

The announcement comes in light of Microsoft’s July 29 deadline for free upgrades to Windows 10, as well as its much-touted Anniversary Update coming to the OS, slated to arrive Aug. 2, which will bring with it a host of productivity and security features.

It is likely that the French government’s concerns will need to be addressed in a separate update.

“Formal notices are not sanctions and no further action will be taken if the company complies with the Act within the specified timescale, in which case the notice proceedings will be closed and this decision will also be made public,” CNIL  said in a statement. “Should Microsoft Corporation fail to comply with the formal notice within the specified timescale, the Chair may … issue a sanction against the company.”

Microsoft’s vice president and deputy general counsel has since released the following statement:

Earlier today Microsoft received a notice from the French data protection authority, the Commission Nationale de l’Informatique et des Libertés or CNIL, raising concerns about certain aspects of Windows 10. The notice gives Microsoft three months to address the issues.

We built strong privacy protections into Windows 10, and we welcome feedback as we continually work to enhance those protections. We will work closely with the CNIL over the next few months to understand the agency’s concerns fully and to work toward solutions that it will find acceptable.

The CNIL noted that the Safe Harbor framework is no longer valid for transferring data from European Union to the United States. We fully understand the importance of establishing a sound legal framework for trans-Atlantic data transfers, and that is why Microsoft has been very supportive of the efforts on both side of the Atlantic that led to last week’s adoption of the Privacy Shield.

As the European Commission observed, Microsoft’s January 2016 Privacy Statement states that the company adheres to the principles of the Safe Harbor Framework. Microsoft has in fact continued to live up to all of its commitments under the Safe Harbor Framework, even as the European and U.S. representatives worked toward the new Privacy Shield. As we state in our privacy statement, in addition to the Safe Harbor Framework we rely on a variety of legal mechanisms as the basis for transferring data from Europe, including standard contractual clauses, a data transfer mechanism established by the European Commission and approved by European data protection authorities, to cover data flows from the European Union to the United States.

Microsoft will release an updated privacy statement next month, and that will say Microsoft intends to adopt the Privacy Shield. We are working now toward meeting the requirements of the Privacy Shield.