France: Windows 10 is collecting ‘excessive’ user data, Microsoft has 3 months to address issues

France is not a fan of Windows 10. The country’s Commission Nationale de l’Informatique et des Libertés (CNIL) has ordered Microsoft to “stop collecting excessive data and tracking browsing by users without their consent.”

The CNIL says it carried out seven investigations between April 2016 and June 2016 regarding how Windows 10 functions. The commission also questioned Microsoft to verify that its privacy policy for Windows 10 complied with the French Data Protection Act.

For its part, Microsoft has said it will work with CNIL, which says it found “many failures” in compliance and has given the company three months to address them. If Microsoft were not to comply, CNIL said it could initiate sanctions.

CNIL’s findings are as follows:

• Irrelevant or excessive data collected: Microsoft is collecting diagnostic and usage data via its telemetry service, which uses such data, among other things, to identify problems and to improve products. To this purpose, Microsoft Corporation processes, for instance, Windows app and Windows Store usage data, providing information, among other things, on all the apps downloaded and installed on the system by a user and the time spent on each one. Therefore, the company is collecting excessive data, as these data are not necessary for the operation of the service.
• A lack of security: Microsoft allows users to choose a four-character PIN to authenticate themselves for all its online services, notably to access to their Microsoft account, which lists purchases made in the store and the payment instruments used, but the number of attempts to enter the PIN is not limited, which means that user data is not secure or confidential.
• Lack of individual consent: An advertising ID is activated by default when Windows 10 is installed, enabling Windows apps and other parties’ apps to monitor user browsing and to offer targeted advertising without obtaining users’ consent.
• Lack of information and no option to block cookies: The company puts advertising cookies on users’ terminals without properly informing them of this in advance or enabling them to oppose this.
• Data still being transferred outside EU on a “safe harbor” basis: Microsoft is transferring its account holders’ personal data to the United States on a “safe harbor” basis but this has not been possible since the decision issued by the Court of Justice of the European Union on October 6, 2015.

Here is Microsoft’s full statement, courtesy of David Heiner, vice president and deputy general counsel:

Earlier today Microsoft received a notice from the French data protection authority, the Commission Nationale de l’Informatique et des Libertés or CNIL, raising concerns about certain aspects of Windows 10. The notice gives Microsoft three months to address the issues.

We built strong privacy protections into Windows 10, and we welcome feedback as we continually work to enhance those protections. We will work closely with the CNIL over the next few months to understand the agency’s concerns fully and to work toward solutions that it will find acceptable.

The CNIL noted that the Safe Harbor framework is no longer valid for transferring data from European Union to the United States. We fully understand the importance of establishing a sound legal framework for trans-Atlantic data transfers, and that is why Microsoft has been very supportive of the efforts on both side of the Atlantic that led to last week’s adoption of the Privacy Shield.

As the European Commission observed, Microsoft’s January 2016 Privacy Statement states that the company adheres to the principles of the Safe Harbor Framework. Microsoft has in fact continued to live up to all of its commitments under the Safe Harbor Framework, even as the European and U.S. representatives worked toward the new Privacy Shield. As we state in our privacy statement, in addition to the Safe Harbor Framework we rely on a variety of legal mechanisms as the basis for transferring data from Europe, including standard contractual clauses, a data transfer mechanism established by the European Commission and approved by European data protection authorities, to cover data flows from the European Union to the United States.

Microsoft will release an updated privacy statement next month, and that will say Microsoft intends to adopt the Privacy Shield. We are working now toward meeting the requirements of the Privacy Shield.

CNIL said it is making its notice to Microsoft public because of the “seriousness of the breaches” and because the country has more than 10 million Windows users.