France isn’t into Microsoft collecting user data without its consent. The CNIL, France’s National Commission on Informatics and Liberty, issued a formal notice telling the company it has three months to cut it out. If Microsoft fails to comply, the CNIL will issue a sanction against the company. CNIL investigated Windows 10 between April and June 2016 after reading media reports that said Microsoft was collecting an excessive amount of user data. Here’s what they found:
- The company is collecting data on “Windows app and Windows Store usage data”. It’s also monitoring what apps its users download and how much time they spend on each one, which the CNIL considers to be irrelevant and excessive data collection.
- There is no limit on how many times you can incorrectly enter your four-digit pin to access your Microsoft account, which indicates that “user data is not secure or confidential”.
- “An advertising ID is activated by default when Windows 10 is installed, enabling Windows apps and other parties’ apps to monitor user browsing and to offer targeted advertising without obtaining users’ consent.”
- Windows 10 gives you no option to block cookies.
- “The company is transferring its account holders’ personal data to the United States on a ‘safe harbour’ basis.”
Basically, the CNIL wants Microsoft to give their 10 million French customers a choice about whether their data is being collected.
Here is Microsoft’s statement, via VentureBeat:
Earlier today Microsoft received a notice from the French data protection authority, the Commission Nationale de l’Informatique et des Libertés or CNIL, raising concerns about certain aspects of Windows 10. The notice gives Microsoft three months to address the issues.
We built strong privacy protections into Windows 10, and we welcome feedback as we continually work to enhance those protections. We will work closely with the CNIL over the next few months to understand the agency’s concerns fully and to work toward solutions that it will find acceptable.
The CNIL noted that the Safe Harbour framework is no longer valid for transferring data from European Union to the United States. We fully understand the importance of establishing a sound legal framework for trans-Atlantic data transfers, and that is why Microsoft has been very supportive of the efforts on both side of the Atlantic that led to last week’s adoption of the Privacy Shield.
As the European Commission observed, Microsoft’s January 2016 Privacy Statement states that the company adheres to the principles of the Safe Harbour Framework. Microsoft has in fact continued to live up to all of its commitments under the Safe Harbour Framework, even as the European and U.S. representatives worked toward the new Privacy Shield. As we state in our privacy statement, in addition to the Safe Harbour Framework we rely on a variety of legal mechanisms as the basis for transferring data from Europe, including standard contractual clauses, a data transfer mechanism established by the European Commission and approved by European data protection authorities, to cover data flows from the European Union to the United States.
Microsoft will release an updated privacy statement next month, and that will say Microsoft intends to adopt the Privacy Shield. We are working now toward meeting the requirements of the Privacy Shield.