Microsoft breaches the Dutch data protection law in the way it processes the personal data of people using the Windows 10 operating system, the country’s data protection agency has said.
On Friday, Dutch data protection authority (DPA) the Autoriteir Persoonsgegevens said that Microsoft doesn’t tell Windows 10 Home and Pro users which personal data it collects and why. It also said the firm makes it impossible for users to give their valid consent to their personal data being processed, due to the multiple ways in which that data might subsequently be used.
The data watchdog added that Microsoft “does not clearly inform users that it continuously collects personal data about the usage of apps and web surfing behaviour through its web browser Edge, when the default settings are used”.
“It turns out that Microsoft’s operating system follows about every step you take on your computer. That results in an intrusive profile of yourself,” said Wilbert Tomesen, the regulator’s vice-chairman. “What does that mean? Do people know about this, do they want this? Microsoft needs to give users a fair opportunity to decide about this themselves.”
As with the French privacy regulator’s now closed investigation into Windows 10 data collection, much of the issue here is that telemetry data; system data that Microsoft uses to identify and fix bugs, and to gather feedback on its products, but that can also qualify as “personal data” when linked to a specific user.
The data includes information about which apps people have installed and how often they are used, as well as information on web-surfing behaviour.
The agency said that Microsoft offers two levels of telemetry: basic and full. At the basic level limited data is processed about device usage, but with full telemetry detailed data on app usage is processed as well as data about web surfing behaviour through Edge and (parts of) the content of handwritten documents via an inkpad.
While Microsoft offers users an overview of the categories of data that it collects through basic telemetry, it only informs people in a general way, with examples, about the categories of personal data it collects through full telemetry, the regulator said.
“The way Microsoft collects data at the full telemetry level is unpredictable. Microsoft can use the collected data for the various purposes, described in a very general way. Through this combination of purposes and the lack of transparency Microsoft cannot obtain a legal ground, such as consent, for the processing of data,” it said.
The Dutch DPA warned that, while Microsoft has promised to end its “violations”, failure to do so could lead the watchdog to impose “a sanction” on Microsoft.
In response, Microsoft Windows privacy officer Marisa Rogers said the company is prioritising compliance with the Dutch data protection law, but it has also “shared specific concerns with the Dutch DPA about the accuracy of some of its findings and conclusions”.
In an the extensive document describing Microsoft’s issues with the Dutch authority’s analysis, the company said this diagnostics data was needed “when investigating an issue impacting the Windows ecosystem.”
“The Dutch DPA claims we cannot obtain lawful consent given the flexibility of our telemetry program, since the data we collect can change over time,” the document read. “Though we disagree with this, we plan to collaborate with the Dutch DPA to discuss key aspects of our data processing operations and implement improvements.”
Where the Dutch DPA claimed that Microsoft by default used telemetry data to show people personalised advertising, the company said turning on Relevant Ads in the Windows 10 settings “does not enable…use of Windows diagnostics data in connection with advertising in apps”.
Microsoft also said its Creators Update and upcoming Fall Creators Update for Windows 10 make it easier for users to appreciate and control their privacy choices. The new update will give users access to Microsoft’s privacy statement during setup, and more easily access privacy settings when setting up a new device.