Data-protection authorities in France have officially closed an investigation into Microsoft’s data collection practices for Windows 10.
The French National Data Protection Commission (CNIL) had issued a formal notice against Microsoft in July 2016, ordering that the company “stop collecting excessive data and tracking browsing by users without their consent.”
Yesterday’s formal notice of closure notes that “violations had ceased [and] the company had complied with the French Data Protection Act.” In addition, it notes that “the company has implemented several measures in order to comply with the requirements stated in the formal notice.”
The notice, coming one day before the end of Microsoft’s fiscal year, allows the company to highlight a successful resolution of the complaint in its upcoming SEC filings and annual report.
Via email, a Microsoft spokesperson provided the following comment:
We are committed to protecting our customers’ privacy and putting them in control of their information. We appreciate the French data protection authority’s decision and will continue to provide clear privacy choices and easy-to-use tools in Windows 10.
Specifically, the notice calls out the following changes in Windows 10:
On the irrelevant or excessive character of collected data:
The company has nearly reduced by half the volume of collected data within the “basic” level of its telemetry service which is capable of identifying the system’s functional issues and solving them. It has restricted its collection to the sole data strictly necessary for maintaining the proper functioning of its operating system and applications, and for ensuring their security.
On the lack of data subjects’ consent:
Users are now informed, through a clear and precise information, that an advertising ID is intended to track their web-browsing in order to offer them personalized advertising. Furthermore, the installation procedure of Windows 10 has been modified: users cannot complete this installation unless they have expressed their choice regarding activation or deactivation of the advertising ID. Moreover, they can reverse this choice at any time.
On the lack of security:
The company has strengthened the robustness of the PIN code allowing users to authenticate to all company’s online services, and more specifically to their Microsoft account: too common PIN code combinations are now forbidden. Moreover, in case of incorrect input, the company has set up a delay for authentication (a temporary suspension of access whose duration increases as the number of attempts rises).
The original complaint criticized Microsoft for its cookie-handling policy. The notice of closure acknowledges that “most” Windows 10-related websites now obtain proper consent, with all Microsoft websites scheduled to be in compliance by September 30, 2017.
CNIL notes that Microsoft has also joined Privacy Shield and is no longer transferring French Windows users’ data to the U.S. That practice was banned by a decision issued by the Court of Justice of the European Union on October 6, 2015.
In May 2017, French authorities fined Facebook 150,000 Euros for “massive compilation of personal data [and] browsing activity” without the knowledge or consent of users, following a similar complaint in February 2016.
Google received its own complaint in 2013, with another “compliance package” proposed in 2014.