Windows 10: CNIL publicly serves formal notice to Microsoft Corporation to comply with the French Data Protection Act within three months

20 July 2016

The Chair of the National Data Protection Commission (CNIL) issues formal notice on Microsoft Corporation to stop collecting excessive data and tracking browsing by users without their consent. She is also demanding that Microsoft take satisfactory measures to ensure the security and confidentiality of user data.

Windows 10

Following the launch of the new operating system, Windows 10, in July 2015, the CNIL was alerted by the media and political parties to the possibility that Microsoft Corporation was collecting excessive personal data. Meanwhile, a Contact group was created within the G29 (working party including national data protection agencies in Europe) to examine the issue and conduct investigations in the various member states concerned. It is within this context that the CNIL carried out seven on-line observations in April and June 2016 and questioned Microsoft Corporation on certain points of its privacy policy to check that Windows 10 complied with the French Data Protection Act.

This has revealed many failures :

Irrelevant or excessive data collected: 

The CNIL found that the company was collecting diagnostic and usage data via its telemetry service, which uses such data, among other things, to identify problems and to improve products. To this purpose, Microsoft Corporation processes, for instance, Windows app and Windows Store usage data, providing information, among other things, on all the apps downloaded and installed on the system by a user and the time spent on each one. Therefore, the company is collecting excessive data, as these data are not necessary for the operation of the service.

A lack of security:

The company allows users to choose a four characters PIN to authenticate themselves for all its on-line services, notably to access to their Microsoft account, which lists purchases made in the store and the payment instruments used, but the number of attempts to enter the PIN is not limited, which means that user data is not secure or confidential.

Lack of individual consent:

An advertising ID is activated by default when Windows 10 is installed, enabling Windows apps and other parties’ apps to monitor user browsing and to offer targeted advertising without obtaining users’ consent.

Lack of information and no option to block cookies:

The company puts advertising cookies on users’ terminals without properly informing them of this in advance or enabling them to oppose this.

Data still being transferred outside EU on a “safe harbour” basis:

The company is transferring its account holders’ personal data to the United States on a “safe harbour” basis but this has not been possible since the decision issued by the Court of Justice of the European Union on 6th October 2015.

Given the above, the Chair of the CNIL has decided to issue a formal notice to Microsoft Corporation to comply with the Act within three months. This proceedings only commits French Data protection authority. The other data protection authorities belonging to the WP29 Contact group are continuing their investigations within their respective national procedures.

The purpose of the notice is not to prohibit any advertising on the company’s services but, rather, to enable users to make their choice freely, having been properly informed of their rights.

It has been decided to make the formal notice public due to, among other reasons, the seriousness of the breaches and the number of individuals concerned (more than ten million Windows users on French territory).

For the record, the CNIL wishes to state that formal notices are not sanctions and no further action will be taken if the company complies with the Act within the specified timescale, in which case the notice proceedings will be closed and this decision will also be made public.

Should Microsoft Corporation fail to comply with the formal notice within the specified timescale, the Chair may appoint an internal investigator, who may draw up a report proposing that the CNIL’s restricted committee responsible for examining breaches of the Data Protection Act issue a sanction against the company.

Keywords associated to this article