CNIL Cookies YouTube

Served on Wednesday, the formal notice asked Microsoft to “stop collecting excessive data and tracking browsing by users without their consent.” The French Data Protection Commission (CINL) also told the company they must “take satisfactory measures to ensure the security and confidentiality of user data.”

The CINL’s complaints came from seven investigations into Microsoft’s Windows 10 operating system between April and June. They also interviewed Microsoft representatives to make sure the French Data Protection Act was upheld.

The Violations

Microsoft has three months has three months to stop tracking user’s browsing. The information was being used to target ads in Windows and third-party programs.

The CNIL also accuses Microsoft of the following:

Irrelevant and excessive data collection

“The CNIL found that the company was collecting diagnostic and usage data via its telemetry service…providing information, among other things, on all the apps downloaded and installed on the system by a user and the time spent on each one. Therefore, the company is collecting excessive data.”

Lack of proper security

“The company allows users to choose a four characters PIN to authenticate themselves for all its on-line services, notably to access to their Microsoft account…but the number of attempts to enter the PIN is not limited, which means that user data is not secure or confidential.”

Lack of consent from individuals

“An advertising ID is activated by default when Windows 10 is installed, enabling Windows apps and other parties’ apps to monitor user browsing and to offer targeted advertising without obtaining users’ consent.”

Insufficient consent for cookies

“The company puts advertising cookies on users’ terminals without properly informing them of this in advance or enabling them to oppose this.”

Data transfer outside of the EU

“The company is transferring its account holders’ personal data to the United States on a “safe harbour” basis but this has not been possible since the decision issued by the Court of Justice of the European Union on 6th October 2015.”

The last point comes as a bit of an embarrassing contradiction on Microsoft’s part. When the replacement Privacy Shield legislation passed earlier this month, the company praised the decision. Microsoft’s John Frank, Vice President for EU Government Affairs said they “will sign up to the new framework as soon as possible.” Their implementation has clearly not been fast enough for some.

Vice President of Microsoft David Heiner responded to these accusations, however, telling ZDNet:

“Microsoft has in fact continued to live up to all of its commitments under the Safe Harbor Framework, even as the European and U.S. representatives worked toward the new Privacy Shield…in addition to the Safe Harbor Framework we rely on a variety of legal mechanisms as the basis for transferring data from Europe.”

Heiner goes on to pledge Microsoft’s co-operation with the CNIL to find a solution. They will be updating its privacy statement next month to confirm Privacy Shied’s adoption.