Microsoft has been called out by the Commission Nationale de l’Informatique et des Libertes (CNIL), a French regulatory watchdog group, for collecting “excessive” amounts of data on users and improperly protecting that data.
CNIL announced July 20 that it had issued a formal notice against Microsoft, following seven investigations between April and June 2016 that looked into whether Windows 10 complies with the French Data Protection Act.
The investigations, reported CNIL, “revealed many failures.”
First, it found that Microsoft said that it collects diagnostic and usage data via its telemetry service, in order to, among other things, identify and solve problems. But the types of data being collected, said CNIL, “are not necessary for the operation of the service.”
Second, it questioned Microsoft’s security measures. The company has users authenticate themselves on its online services via a four-character PIN. “But the number [of] attempts to enter the PIN is not limited,” stated the notice, “which means that user data is not secure or confidential.”
Third, rather than having users opt in, to allow third-party apps to monitor their browsing and offer targeted advertising, the advertising ID is activated by default.
Fourth, CNIL said Microsoft doesn’t properly inform users in advance about the advertising cookies it puts on their terminals.
And fifth, CNIL said that Microsoft is transferring users’ personal information to the United States on a “Safe Harbor” basis. Though since an Oct. 6, 2015, ruling, this is no longer a legally acceptable method.
CNIL said it decided to make the notice public due to the “seriousness of the breaches” and the number of individuals involved. In France, more than 10 million people use Windows, it added.
Microsoft Vice President and Deputy General Counsel David Heiner said in a statement shared with the media: “We built strong privacy protections into Windows 10, and we welcome feedback as we continually work to enhance those protections. We will work closely with the CNIL over the next few months to understand the agency’s concerns fully and to work toward solutions that it will find acceptable.”
Heiner also noted that in addition to the Safe Harbor framework, Microsoft uses a “variety of legal mechanisms” to transfer data from Europe, and it’s working to meet the requirements of the Privacy Shield, a new trans-Atlantic data transfer agreement.
“Microsoft will release an updated privacy statement next month,” Heiner stated, “and that will say Microsoft intends to adopt the Privacy Shield. We are working now toward meeting the requirements of the Privacy Shield.”
CNIL said Microsoft has three months to address its concerns. If it does, no further action will be taken. If it doesn’t, CNIL will appoint an investigator who may issue “one of the sanctions” detailed in Article 45 of the Data Protection Act.
By CNIL’s count, it has conducted 421 investigations and rendered 62 orders, seven warnings and eight financial sanctions. It can issue fines up to 150,000 euros, which can be doubled for a repeat offense.