Dutch Data Protection Authority says Microsoft breaches law with Windows 10

Microsoft breaches the Dutch data protection law by processing personal data of people that use the Windows 10 operating system on their computers. This is the conclusion of the Dutch Data Protection Authority (DPA) after its investigation of Windows 10 Home and Pro.

The DPA, also known as Autoriteit Persoonsgegevens, published a notice Thursday stating conclusions from an August report. It found that Microsoft isn’t being clear about its use of the data it collects. Consequently, users lack the ability to grant consent through Windows 10’s settings. If Microsoft doesn’t end the violations of the country’s data protection law, then “the Dutch DPA can decide to impose a sanction on Microsoft,” the notice indicated.

The Dutch DPA’s researchers ran tests to compile their findings, but they had to rely on an internally used Microsoft tool to get some of the technical data because “Microsoft does not provide users access to the telemetry data collected on the device or sent to Microsoft,” according to the August report (PDF). The telemetry information is difficult to track.

“After the installation, it is impossible, even for technically advanced system operators, to trace what personal data Microsoft is actually collecting via telemetry,” the researchers noted, “Let alone for average users.”

The researchers had limited access time to use Microsoft’s tool. Moreover, the tool “doesn’t capture telemetry data collected during start-up and install,” the report noted.

Despite those limitations, the Dutch DPA researchers found multiple privacy concerns, especially with the “Full telemetry” privacy option turned on (Microsoft has been offering two privacy options, “Basic” and “Full,” since the release of the Windows 10 Creators Update). The Full option collects “detailed information about app usage, as well as data about websurfing behaviour through Edge and (parts of) the content of handwritten documents (via an inkpad),” the researchers noted. In addition, the Full level is turned on by default, forcing users to opt out. There were many other claims in the nine-page report.

Microsoft’s Response
Microsoft published a response saying that Microsoft has been “on a journey” since the launch of Windows 10. It has already reconciled privacy concerns with “Swiss and French data protection authorities,” and it has a priority to be “compliant under Dutch law,” too.

France’s data protection commission had issued complaints last year about Windows 10’s privacy, but indicated in June of this year that Microsoft had complied with its objections. Specifically, Microsoft now informs users about advertising IDs and it strengthened its PIN security, among other details. Read more here

Leave a Reply