Windows 10 privacy settings still worrying European watchdogs

European Union data protection authorities continue to have privacy-related concerns about Microsoft’s Windows 10 operating system, despite the company making some tweaks to privacy settings for users of the OS after criticism and concerns were raised last year.

Concerns have focused on the volume of data being gathered by default on Windows 10, and whether Microsoft obtains fully informed consent from users to collect and process their data.

Last month Redmond tweaked the Windows 10 set-up, claiming it was “simplifying Diagnostic data levels and further reducing the data collected at the Basic level”.

Existing users of the OS are due to get the new privacy settings structure (pictured below) via a future update to the platform: Windows 10 Creators Update.


However in a letter sent to Microsoft last month (and published yesterday on the WP 29’s website), two days after the company blogged about these changes, the EU data protection watchdog group said it still has “significant concerns” about how Microsoft is collecting and processing users’ personal data.

The group goes on to ask Microsoft to provide more information. It writes:

The Working Party has significant concerns with some of the personal data collected and further processed by Microsoft within the Windows 10 operating system and specifically the default settings or apparent lack of control for a user to prevent collection or further processing of such data.

As a result the Working Party specifically requests further explanatory information from Microsoft, as data controller for this personal data, as to how the opt-outs, default settings and other available control mechanisms presented during the installation of Windows 10 operating system provide a valid legal basis for the processing of personal data under the Data Protection Directive 95/46/EC.

This is especially of concern where Microsoft would rely on consent as a legal basis for the processing of personal data. The Working Party has previously published Opinion 15/2011 on the definition of consent which highlights that for consent to be considered valid it must be fully informed, freely given and specific.

Windows 10 launched back in July 2015, and almost immediately garnered criticism for the use of default settings to harvest large amounts of user-data, such as web browsing history and wi-fi network names and passwords — for purposes including displaying personalized adverts as users browse the web, and even for ads displayed within the built-in Solitaire game.

User-data is also fed in to train Microsoft’s Cortana digital assistant — which the company brought to desktop users with the launch of Windows 10.

And while users were given the ability to opt-out of data collection, the process for doing so was criticized for being complex and opaque — apparently comprising 45 pages of privacy policy documents, with opt-out settings spread across 13 different screens and housed on an external website.

The EDRi European digital rights group summed up their view at the time thus:

…one can say that Microsoft basically grants itself very broad rights to collect everything you do, say and write with and on your devices in order to sell more targeted advertising or to sell your data to third parties. The company appears to be granting itself the right to share your data either with your consent “or as necessary”.

Criticism of the apparently not-so-privacy-conscious defaults attracted the attention of the EU’s data protection watchdog group, the Article 29 Working Party, and an investigation by several national data protection authorities followed — including France’s CNIL, which ordered the company to stop excessive data collection last summer.

Among the breaches CNIL has accused Microsoft of are: data proportionality requirements; failing to obtain notice for data transfers; breaking cookie law requirements; having inadequate security protections for personal data; failure to file an authorization request for processing personal data for fraud prevention purposes; and breach of cross-border data transfer restrictions, following the October 2015 invalidating of the Safe Harbor framework (which CNIL said was still referenced in Microsoft’s privacy statement).

A deadline for Microsoft to submit a reply to CNIL was late last month, and a spokeswoman for the DPA told TechCrunch it’s currently analyzing the company’s response. The regulator has the power to fine Microsoft if it finds it to be in non-compliance. And its capacity to levy fines was recently beefed up by French lawmakers — so it’s now able to impose fines of up to €3M for breaches of domestic privacy laws.

The incoming EU General Data Protection Regulation — which is due to come into force across the region in May 2018 — also increases the potential penalties for companies breaching of EU data protection law, with fines of up to four per cent of annual turnover for enterprises that are found to be in non-compliance.

In a statement emailed to TechCrunch about ongoing concerns about Windows 10’s data gathering and processing, a Microsoft spokesperson said:  “We are listening carefully to comments from members of the Art. 29 Working Party and we will continue to cooperate with the Working Party and national data protection agencies. Our January announcement of changes coming to the Windows 10 privacy settings reflect our commitment to the protection of our users’ personal data.”

At the same time as tweaking the Windows 10 set-up to respond to privacy concerns, the company launched a web-based privacy dashboard for Microsoft account users to review and amend privacy settings pertaining to data collection across several different Microsoft services, including location, search, browsing, and Cortana Notebook.

In recent months the issue of informed consent for sharing user data has also caused Facebook and WhatsApp to fall foul of European regulators. Last November the companies were forced to suspend data-sharing after making a change to WhatsApp’s privacy policy that pushed users to consent to sharing data such as their mobile phone number with the messaging app’s parent company. In that instance, users had only been offered a partial opt-out — with the window for opting out of the data-sharing closing 30 days after they accepted the app’s updated T&Cs.