The French data authority, Commission Nationale de l’Informatique et des Libertés (CNIL), has issued a formal notice to Microsoft to stop collecting excessive data and tracking of users without their approval.
CNIL took this action after being alerted by media and political parties. Meanwhile, a Contact group was created within the G29 (working party including national data protection agencies in Europe) to examine the issue and conduct investigations in several states concerned.
The CNIL, in this regard has conducted over seven online observations in April and June this year and questioned Microsoft over its privacy policy to check whether Windows 10 was following the French Data Protection Act.
CNIL revealed several areas of concerns including irrelevant or excessive data collection, lack of security, lack of individual consent, lack of information and missing options to block cookies and data being transferred outside EU on ‘safe harbour’ basis.
The authority found that Microsoft was collecting user data such as the number of apps that are being downloaded and installed and the time that is spent on each app, which the agency says is unnecessary information.
CNIL also pointed about the lack of user consent from Microsoft and other third party apps to monitor user browsing and offer targeted advertising. This is accomplished through an advertising ID which is activated by default in Windows 10.
Advertising cookies have been placed on users’ terminals without properly informing them in advance or giving the users an option to disable them.
Also, CNIL pointed out that personal data from account holders is being transferred to US on a ‘safe harbor’ basis but this was not possible since the decision issued by the Court of Justice of the European Union in October 2015.
With these issues at hand, CNIL has decided to give a formal notice to Microsoft to comply with the Act within three months.
CNIL has also noted that it was not about preventing advertisements, but to enable users to choose freely by being properly informed of their rights.
Respoding to the notice, Microsoft vice president and deputy general counsel David Heiner said: "We built strong privacy protections into Windows 10, and we welcome feedback as we continually work to enhance those protections.
"We will work closely with the CNIL over the next few months to understand the agency's concerns fully and to work toward solutions that it will find acceptable.