The President of the French Data Protection Authority (CNIL) has issued a formal notice to Microsoft Cooperation urging the company to make Windows 10 compliant with French data protection law within three months. The CNIL highlighted the following issues :

  • The telemetric service used for the purpose of diagnosing issues and improving the services also collects data on the use of all Windows and Window store apps downloaded by the user. The CNIL considers this unnecessary for the relevant purpose and therefore excessive.
  • Microsoft provides a four-digit pin code system to allow users to authenticate all services at the same time, with an unlimited number of trials. The CNIL considers that this does not offer adequate security.
  • The advertising ID is activated automatically by default, whereas French law requires user consent.
  • The information provided to the user about cookies is insufficient and no adequate opt in or out options are available.
  • Transfers to the US are still governed by the invalidated Safe Harbor arrangements.
  • The services used to fight against fraud should have been submitted for prior authorisation to the CNIL.

Microsoft’s failure to comply within three months may result in a fine of up to €150,000 under the current regime or up to €3 million when the new French Digital Republic law is implemented later this year. Microsoft has announced its cooperation with the CNIL and will release an updated privacy statement next month.

Press release (in French)