Microsoft makes changes to its DP compliance as a result of regulatory action in France

Microsoft has made changes to how it processes personal data as a direct response to a formal notice in July 2016 by France’s Data Protection Authority, the CNIL. At the time, the regulator said that the company had excessive data collection practices, was tracking users’ web-browsing without their consent, and had insufficient procedures to guarantee the security and confidentiality of users’ data.

Microsoft now informs users that an advertising ID is intended to track their web-browsing in order to offer them personalized advertising. Furthermore, the installation procedure of Windows 10 has been modified. Users cannot complete this installation unless they have expressed their choice regarding activation or deactivation of the advertising ID, the CNIL says.

Microsoft has improved its data security by making it impossible to use too frequently used common PIN code combinations. If individuals enter the wrong details, the company has introduced a temporary suspension of access.

Microsoft has joined the EU-US Privacy Shield to govern international transfers of personal data. It has also ceased placing advertising cookies without obtaining users’ consent while they are browsing Microsoft’s websites. This is a rolling programme which will be fully implemented in all its websites by 30th September 2017.

The CNIL says that most of the changes will apply worldwide (for example the new procedure to install Windows, and privacy settings). Some other changes regarding the information to be delivered to end-users are only available in the French version of Windows 10.

President of the CNIL and the EU Article 29 Working Party, Isabelle Falque-Pierrotin, will speak next week at Privacy Laws & Business 30th Anniversary International Conference in Cambridge, UK. Her session is on GDPR implementation: WP29 guidelines for controllers/processors and DPA cooperation on enforcement, and takes place on the morning of Tuesday 4 July.

See the programme for this conference, Promoting Privacy with Innovation, and register at