Science

Windows 10 personal data collection ruled 'excessive'

Windows 10 collects "excessive" data on users, violates privacy laws in "numerous" ways and must be fixed within three months, France's data privacy watchdog announced in findings that could herald decisions to come in Canada and elsewhere in Europe.

Microsoft faces fines in France if it doesn't curb tracking of users' behaviour

Microsoft could face fines from France's national data privacy watchdog if it doesn't curtail the way it collects user data from Windows 10. (Robert Galbraith/Reuters)

Microsoft's Windows 10 operating system collects "excessive" data on users, violates privacy laws in "numerous" ways and must be fixed within three months, France's national data privacy watchdog announced Wednesday.

The findings could herald decisions expected in the coming months in Canada and other European countries over an operating system that has raised a rash of privacy concerns about how it tracks users.

France's Commission Nationale de l'Informatique et des Libertés (National Commission for Information Technology and Civil Liberties, or CNIL in French) says in a notice posted online today that it has warned Microsoft about the breaches and the software giant could be penalized if it doesn't "cease the excessive collection of users' data and browsing history without their consent."

The agency alleges Microsoft is violating France's data privacy law by:

  • Using Windows 10 to track all the programs users install on their system and the amount of time they spend using each one.
  • Allowing users to set a relatively weak, four-digit PIN code to access online services, including online payment history, without capping the number of incorrect PIN attempts before someone is locked out of the account.
  • Targeting users with Microsoft and third-party advertising based on their browsing history, without prior user consent.
  • Tracking and targeting users with browser cookies without informing them or implementing an opt-out.
  • Transmitting personal information back to the United States, where Microsoft is headquartered, under the auspices of the EU-U.S. "safe harbour" agreement, despite a decision last October by the European Court of Justice ruling the agreement invalid. 

Prompted by media reports and letters from several French political parties, France's data privacy agency began looking into Windows 10 shortly after the operating system launched in July 2015.

The agency is considered one of the toughest in Europe and has already gone after Google over the European Union's "right to be forgotten" rule.

Other European national privacy watchdogs are also looking at Windows 10, as is the Office of the Privacy Commissioner of Canada.

Microsoft vice-president David Heiner said in a statement Wednesday afternoon that the company "will work closely with the CNIL over the next few months to understand the agency's concerns fully and to work toward solutions that it will find acceptable."

He added that Microsoft is "working now toward" meeting the terms of the new EU-U.S. Privacy Shield, a more stringent framework meant to replace the "safe harbour" agreement.