Microsoft could face a GDPR penalty after the Netherlands’ data-protection office asked its Irish counterpart to investigate new aspects of Microsoft’s Windows 10 telemetry data collection.
The case stems from the Dutch data-protection agency’s (DPA’s) findings in pre-GDPR 2017. At that time, the agency found that Microsoft didn’t tell Windows 10 Home and Pro users which personal data it collects and how it uses the data, and didn’t give consumers a way to give specific consent.
As part of the Windows 10 April 2018 Update, Microsoft last year released new privacy tools to help explain to users why and when it was collecting telemetry data. And by April 2018, the Dutch DPA assessed that the privacy of Windows 10 users was “greatly improved” due to its probe, having addressed the concerns raised over earlier versions of Windows 10.
However, the Dutch DPA on Tuesday said while the changes Microsoft made last year to Windows 10 telemetry collection did comply with the agreement, the company might still be in breach of EU privacy rules.
“Microsoft has complied with the agreements made,” the Dutch DPA told Reuters. “However, the check also brought to light that Microsoft is remotely collecting other data from users. As a result, Microsoft is still potentially in breach of privacy rules.”
A breach could potentially expose Microsoft to GDPR fines of up to 4% of an organization’s global revenue. Though it’s unlikely Microsoft’s breach would attract the maximum fine.
Nonetheless, this July the Dutch DPA put in a request with Ireland’s DPA to take up the case. The move is significant because it’s where most US tech giants locate their non-US headquarters, including Microsoft.
As TechCrunch notes, Ireland’s DPA is Microsoft’s lead privacy regulator in Europe and confirmed it had received the Netherlands’ request.
It’s not clear exactly how Microsoft could have breached GDPR rules, but the Dutch DPA’s statement mentions Windows 10 collecting non-diagnostic data and questions whether users are informed of this collection.
“We’ve found that Microsoft collect diagnostic and non-diagnostic data. We’d like to know if it is necessary to collect the non-diagnostic data and if users are well informed about this,” the Dutch DPA said in a statement.
“Does Microsoft collect more data than they need to (think about data minimalization as a base principle of the GDPR)?. Those questions can only be answered after further examination.”