France orders Microsoft to stop collecting excessive user data
The CNIL said the U.S. company had three months to stop tracking browsing by users so that Windows apps and third-party apps can offer them targeted advertising without their consent, failing which it could initiate a sanctions procedure.
The French data protection authority on Wednesday ordered Microsoft Corporation to stop collecting excessive data on users of its Windows 10 operating system and serving them personalized ads without their consent.
A number of EU data protection authorities created a contact group to investigate Microsoft’s Windows 10 operating system following its launch in July 2015, the French privacy watchdog said.
The action against Microsoft mirrors that taken by the CNIL against Facebook, which was ordered in February to stop collecting users’ information then used for advertising without their consent.
Microsoft processes information on all the apps downloaded and installed on Windows by a user and the time spent on each one to identify problems and improve its products. However the CNIL said it considered this to be excessive since the data “are not necessary for the operation of the service.”
The French watchdog also said that Microsoft puts advertising cookies on users’ terminals without properly informing them beforehand or giving them a chance to opt out.
“It has been decided to make the formal notice public due to, among other reasons, the seriousness of the breaches and the number of individuals concerned [more than 10 million Windows users on French territory],” the CNIL said in a statement.
“The purpose of the notice is not to prohibit any advertising on the company’s services but, rather, to enable users to make their choice freely, having been properly informed of their rights.”
While the fines that can currently be levied by European data protection authorities are paltry compared to the revenues of big U.S. tech companies, a new European Union data protection law set to enter into force in two years provides for fines of up to 4 percent of a company’s annual global turnover.
In addition, the CNIL said Microsoft was still illegally transferring data to the United States using the Safe Harbour framework, which was struck down by the top EU court in October on concerns about mass U.S. surveillance practices.
Companies have had to rely on alternative legal structures such as “model clauses” to move data across the Atlantic in line with tough EU data transferral rules.
However a source at the company said that Microsoft uses model clauses for U.S. data transfers and is only still certified under Safe Harbour due to contractual obligations.