France orders Microsoft to stop collecting excessive user data
Staff Writer |
The chair of the National Data Protection Commission (CNIL) Isabelle Falque-Pierrotin issued a notice on Microsoft Corporation to stop collecting excessive data and tracking browsing by users without their consent.
Article continues below
She is also demanding that Microsoft take satisfactory measures to ensure the security and confidentiality of user data.
Following the launch of the new operating system, Windows 10, in July 2015, the CNIL was alerted by the media and political parties to the possibility that Microsoft Corporation was collecting excessive personal data.
Meanwhile, a Contact group was created within the G29 (working party including national data protection agencies in Europe) to examine the issue and conduct investigations in the various member states concerned.
It is within this context that the CNIL carried out seven on-line observations in April and June 2016 and questioned Microsoft Corporation on certain points of its privacy policy to check that Windows 10 complied with the French Data Protection Act.
The CNIL found that the company was collecting diagnostic and usage data via its telemetry service, which uses such data, among other things, to identify problems and to improve products.
To this purpose, Microsoft processes, for instance, Windows app and Windows Store usage data, providing information, among other things, on all the apps downloaded and installed on the system by a user and the time spent on each one.
Therefore, the company is collecting excessive data, as these data are not necessary for the operation of the service.
The company allows users to choose a four characters PIN to authenticate themselves for all its on-line services, notably to access to their Microsoft account, which lists purchases made in the store and the payment instruments used, but the number of attempts to enter the PIN is not limited, which means that user data is not secure or confidential.
An advertising ID is activated by default when Windows 10 is installed, enabling Windows apps and other parties’ apps to monitor user browsing and to offer targeted advertising without obtaining users’ consent.
The company puts advertising cookies on users’ terminals without properly informing them of this in advance or enabling them to oppose this.
The company is transferring its account holders’ personal data to the United States on a “safe harbour†basis but this has not been possible since the decision issued by the Court of Justice of the European Union on 6th October 2015.
Given the above, the chair of the CNIL has decided to issue a formal notice to Microsoft Corporation to comply with the Act within three months. ■