Microsoft is no stranger to being accused or even formally charged for violating consumer privacy protection laws or related regulations. Especially within the European Union, where American companies like Google and Facebook are facing increasing scrutiny over citizens’ data. This formal notice from France’s national data protection agency, or Commission Nationale de l’Informatique et des Libertés (CNIL), is yet another chapter. But the issues the CNIL brought up also touch at the heart of an ongoing negotiation between the US and EU over the transfer of data across the ocean.
While Windows 10 arguably got a few high scores in features, it hasn’t exactly been known for its privacy and security measures. By default, the OS is configured to gather users’ data, both for improving services as well as advertisement. In most cases, these settings aren’t revealed to users when they Windows 10 is first installed or upgraded.
Those are the very matters that has the CNIL concerned. After a three-month investigation that ended in June, it has served Microsoft notice on at least five concrete issues:
• Collecting excessive data, like time users spend on an app installed from its store.
• Loose security, like a 4-digit PIN that can be retried an infinite number of times.
• Not asking users first for permission when collecting data, especially for advertisement.
• Cookies stored from websites
• Transferring data from the EU to the US.
That last bit is a particularly thorny subject. According to the CNIL, Microsoft is using the Safe Harbor framework as legal grounds for transatlantic data transfer. The problem is that Safe Harbor was declared by the EU as invalid in October 2015, practically making Microsoft’s data transfer illegal. In its official response, Microsoft defends its practice, saying that it isn’t relying on Safe Harbor alone but also on other legal mechanisms approved by the European Commission. It also says that it is already working towards meeting the requirements of Privacy Shield, the new framework approved by both US and EU.
France is giving Microsoft three months to comply and if it does so, no further action will happen and the matter will be closed.