CNIL orders Microsoft to comply with France’s data protection law

On 20 July, France’s Data Protection Authority, the CNIL, served Microsoft with a formal notice that it must comply with France’s data protection law within three months. The CNIL states that the Windows 10 operating system collects excessive personal data and tracks users without their consent.

The EU Art. 29 Data Protection Working Group (WP29) has established a Contact Group which means that other national Data Protection Authorities are also conducting their own investigations on the same issue. The CNIL, whose President, Isabelle Falque-Pierrotin is also the Chair of the WP29, conducted online checks in April and June this year and put questions to the company.

Windows 10 is used by 10 million people in France. The CNIL has identified the following ways in which it alleges that Windows 10 fails to comply with France’s DP law:

  • “Microsoft Corporation processes, for instance, Windows app and Windows Store usage data, providing information, among other things, on all the apps downloaded and installed on the system by a user and the time spent on each one. Therefore, the company is collecting excessive data, as these data are not necessary for the operation of the service.”
  • “The company allows users to choose a four characters PIN to authenticate themselves for all its on-line services, notably to access to their Microsoft account, which lists purchases made in the store and the payment instruments used, but the number of attempts to enter the PIN is not limited, which means that user data is not secure or confidential.”
  • “An advertising ID is activated by default when Windows 10 is installed, enabling Windows apps and other parties’ apps to monitor user browsing and to offer targeted advertising without obtaining users’ consent.”
  • “The company puts advertising cookies on users’ terminals without properly informing them of this in advance or enabling them to oppose this.”
  • “The company is transferring its account holders’ personal data to the United States on a “safe harbour” basis but this has not been possible since the decision issued by the Court of Justice of the European Union on 6th October 2015.”

The good news from Microsoft’s perspective is that “the CNIL wishes to state that formal notices are not sanctions and no further action will be taken if the company complies with the Act within the specified timescale, in which case the notice proceedings will be closed and this decision will also be made public."

The bad news from Microsoft’s perspective is that if the CNIL is not satisfied with the company’s response, the CNIL may “issue a sanction against the company.”

David Heiner, Microsoft’s Vice President and Deputy General Counsel has issued a statement not referring to the CNIL’s specific criticisms of Windows 10. Instead, he announced “We built strong privacy protections into Windows 10, and we welcome feedback as we continually work to enhance those protections. We will work closely with the CNIL over the next few months to understand the agency's concerns fully and to work toward solutions that it will find acceptable.” The rest of the statement was about how the company continued to transfer personal data from the EU to the US on the basis of the Safe Harbor, after it had been declared illegal but that it was committed to the EU-US Privacy Shield and would sign up to it. Meanwhile, “we rely on a variety of legal mechanisms as the basis for transferring data from Europe, including standard contractual clauses.”

The CNIL’s formal notice

The CNIL’s guidance on how to adjust Windows 10 privacy settings