France Orders Microsoft to Fix 'Invasive' Windows 10
If you’ve installed Windows 10 on your PC, you’re already well aware of how much it loves your data. When you first set up the OS, it will walk you through approving a laundry list of default settings that will collect just about every piece of information on your PC unless you specifically disallow them.
While American regulators seem pretty content to let Microsoft just do its thing, France has had enough. Regulators there have given the company three months to improve privacy, after which the kid gloves may come off.
The chair of France's National Data Protection Commission (CNIL) issued a statement yesterday (July 20) that accuses Microsoft of "collecting excessive data and tracking browsing by users without their consent." Isabelle Falque-Pierrotin, the chairwoman herself, lobbied tough but arguably fair accusations at the Windows manufacturer.
According to the CNIL, Microsoft collects "irrelevant or excessive data," including app installation and utilization metrics on a user-by-user basis. Windows 10 also lacks adequate security, as it allows even users with full administrative access to log in using just a four-digit PIN, but then places no limits on how many wrong PINs may be entered without penalty.
By default, Windows 10 also allows third-party advertisers to track users without their consent, and the OS itself has no built-in protection against invasive cookies.
For European users, there’s one additional problem: Microsoft, a U.S.-based company, also transports personal information outside of the EU under the transatlantic "Safe Harbor" agreement regarding compliance of U.S. companies with EU laws protecting user data.
That agreement, however, was set aside by a court ruling in October 2015. Whatever Microsoft plans to do with the data, it’s supposedly now being obtained under questionable means while negotiators and bureaucrats work out the details of a new agreement known as the U.S.-EU Privacy Shield.
Falque-Pierrotin has given Microsoft three months to clean up its act before she "may appoint an internal investigator, who may draw up a report proposing that the CNIL … issue a sanction against the company." That's not a direct legal threat, but it's probably a hassle that Microsoft wants to avoid.
Indeed, Microsoft responded to the CNIL in a statement, promising to "work closely with the CNIL over the next few months." However, Microsoft denies that its safe-harbor data transfer is in violation of any European laws, stating that its upcoming Privacy Shield adoption should allay concerns over the international data flow. (Privacy Shield aims to replace Safe Harbor with a more comprehensive online privacy framework.)
The good news is that Microsoft will probably be true to its word and work with the EU to improve its privacy option. The bad news is that there's no real reason why Microsoft would have to do the same in the U.S. Stateside users will have to continue being vigilant in the meantime.