Windows 10: official closure of the formal notice procedure served on MICROSOFT CORPORATION
June 2017 by Marc Jacob
The Chair of the French data protection authority (CNIL) issued formal notice to MICROSOFT CORPORATION on 30th June 2016. Since then, the company has brought itself into line with data protection rules, the formal notice procedure has therefore been closed.
Following the launch of Windows 10 in July 2015, the CNIL was alerted through the press and by letters from political parties on potential violations of the French Data Protection Act.
Seven online observations have been carried out between April and June 2016. On this occasion, several violations have been found and in particular: excessive collection of personal data, track of users’ web-browsing without their consent and a lack of security and confidentiality of users’ data.
These findings led the Chair of the CNIL to serve, on July 2016, formal notice on MICROSOFT CORPORATION in order for it to comply with the French Data Protection Act within a period of three months. It had been decided to publish this formal notice, notably on grounds of the seriousness of the violations and of the number of data subjects concerned (more than ten millions users of Windows 10 on the national territory). MICROSOFT requested the Chair of the CNIL to benefit from an additional three-month period (that is until 20th January 2017).
MICROSOFT CORPORATION’s response
The company’s response led to consider that violations had ceased. Indeed, the company has implemented several measures in order to comply with the requirements stated in the formal notice.
On the irrelevant or excessive character of collected data:
• The company has nearly reduced by half the volume of collected data within the “basic” level of its telemetry service which is capable of identifying the system’s functional issues and solving them. It has restricted its collection to the sole data strictly necessary for maintaining the proper functioning of its operating system and applications, and for ensuring their security.
On the lack of data subjects’ consent:
• Users are now informed, through a clear and precise information, that an advertising ID is intended to track their web-browsing in order to offer them personalized advertising. Furthermore, the installation procedure of Windows 10 has been modified: users cannot complete this installation unless they have expressed their choice regarding activation or deactivation of the advertising ID. Moreover, they can reverse this choice at any time.
On the lack of security:
• The company has strengthened the robustness of the PIN code allowing users to authenticate to all company’s online services, and more specifically to their Microsoft account: too common PIN code combinations are now forbidden. Moreover, in case of incorrect input, the company has set up a delay for authentication (a temporary suspension of access whose duration increases as the number of attempts rises).
Furthermore, in accordance with other injunctions of the formal notice, the company has:
• inserted the information required under Article 32 of the French Data Protection Act;
• requested an authorisation by the CNIL with regard to its processing of personal data for anti-fraud purposes;
• joined Privacy Shield to govern international transfers of personal data;
• ceased to place advertising cookies without obtaining users’ consent while they’re browsing most websites on Windows 10 and committed itself to cease it for all of its websites prior to 30th September 2017.
The Chair of the CNIL has considered that the company had complied with the French Data Protection Act and has therefore decided to proceed to the closing of the formal notice.