After learning just how much data Windows 10 might be collecting from users, France’s National Data Protection Commission (CNIL) has ordered Microsoft to comply with the French Data Protection Act and “stop collecting excessive data and tracking browsing by users without their consent” within three months.
READ MORE: Moto Z Droid and Moto Z Force Droid review
Shortly after the launch of the new operating system in July 2015, CNIL began investigating the software and questioning Microsoft on its privacy policy. During these observations, the group discovered that Windows 10 was collecting irrelevant and excessive data, providing a frightening lack of security for users, failing to obtain user consent before allowing first- and third-party apps to monitor browsing or offer targeted advertising and more. The list goes on.
“Given the above, the Chair of the CNIL has decided to issue a formal notice to Microsoft Corporation to comply with the Act within three months,” writes the CNIL. “This proceedings only commits French Data protection authority. The other data protection authorities belonging to the WP29 Contact group are continuing their investigations within their respective national procedures.”
As for the consequences of failing to meet these standards: “Should Microsoft Corporation fail to comply with the formal notice within the specified timescale, the Chair may appoint an internal investigator, who may draw up a report proposing that the CNIL’s restricted committee responsible for examining breaches of the Data Protection Act issue a sanction against the company.”
Microsoft followed up with a response one day after the notice was issued:
Earlier today Microsoft received a notice from the French data protection authority, the Commission Nationale de l’Informatique et des Libertés or CNIL, raising concerns about certain aspects of Windows 10. The notice gives Microsoft three months to address the issues.
We built strong privacy protections into Windows 10, and we welcome feedback as we continually work to enhance those protections. We will work closely with the CNIL over the next few months to understand the agency’s concerns fully and to work toward solutions that it will find acceptable.
The CNIL noted that the Safe Harbor framework is no longer valid for transferring data from European Union to the United States. We fully understand the importance of establishing a sound legal framework for trans-Atlantic data transfers, and that is why Microsoft has been very supportive of the efforts on both side of the Atlantic that led to last week’s adoption of the Privacy Shield.
As the European Commission observed, Microsoft’s January 2016 Privacy Statement states that the company adheres to the principles of the Safe Harbor Framework. Microsoft has in fact continued to live up to all of its commitments under the Safe Harbor Framework, even as the European and U.S. representatives worked toward the new Privacy Shield. As we state in our privacy statement, in addition to the Safe Harbor Framework we rely on a variety of legal mechanisms as the basis for transferring data from Europe, including standard contractual clauses, a data transfer mechanism established by the European Commission and approved by European data protection authorities, to cover data flows from the European Union to the United States.
Microsoft will release an updated privacy statement next month, and that will say Microsoft intends to adopt the Privacy Shield. We are working now toward meeting the requirements of the Privacy Shield.
Although Microsoft failed to explain why it continues to collect so much seemingly irrelevant data from users or even address the legitimate security concerns raised by CNIL, at least the company appears to be taking this seriously.