The Dutch data protection agency has asked Microsoft’s lead privacy regulator in Europe to investigate ongoing concerns it has attached to how Windows 10 gathers user data.
Back in 2017 the privacy watchdog found Microsoft’s platform to be in breach of local privacy laws on account of how it collects telemetry metadata.
After some back and forth with the regulator, Microsoft made changes to how the software operates in April last year — and it was in the course of testing those changes that the Dutch agency found fresh reasons for concern, discovering what it calls in a press release “new, potentially unlawful, instances of personal data processing”.
Since the agency’s investigation of Windows 10 started a new privacy framework is being enforced in Europe — the General Data Protection Regulation (GDPR) — which means Microsoft’s lead EU privacy regulator is the Irish Data Protection Commission (DPC), where its regional HQ is based. This is why the Dutch agency has referred its latest concerns to Ireland.
It will now be up to the Irish DPC to investigate Windows 10, adding to its already hefty stack of open files on multiple tech giants’ cross-border data processing activities since the GDPR came into force last May.
The regulation steps up the penalties that can be imposed for violations (to up to 4% of a company’s annual global turnover).
A spokeswoman for the Irish DPC confirmed to TechCrunch that it received the Dutch agency’s concerns last month. “Since then the DPC has been liaising with the Dutch DPA to further this matter,” she added. “The DPC has had preliminary engagement with Microsoft and, with the assistance of the Dutch authority, we will shortly be engaging further with Microsoft to seek substantive responses on the concerns raised.”
A Microsoft spokesperson also told us:
The Dutch data protection authority has in the past brought data protection concerns to our attention, which related to the consumer versions of Windows 10, Windows 10 Home and Pro. We will work with the Irish Data Protection Commission to learn about any further questions or concerns it may have, and to address any further questions and concerns as quickly as possible.
Microsoft is committed to protecting our customers’ privacy and putting them in control of their information. Over recent years, in close coordination with the Dutch data protection authority, we have introduced a number of new privacy features to provide clear privacy choices and easy-to-use tools for our individual and small business users of Windows 10. We welcome the opportunity to improve even more the tools and choices we offer to these end users.
The Dutch DPA advises users of Windows 10 to pay close attention to privacy settings when installing and using the software.
“Microsoft is permitted to process personal data if consent has been given in the correct way,” it writes. “We’ve found that Microsoft collect diagnostic and non-diagnostic data. We’d like to know if it is necessary to collect the non-diagnostic data and if users are well informed about this.
“Does Microsoft collect more data than they need to (think about dataminimalization as a base principle of the GDPR). Those questions can only be answered after further examination.”
During the onboarding process for Windows 10, Microsoft makes multiple requests to process user data for various reasons, including ad purposes.
It also deploys the female voice of Cortana, its digital assistant technology, to provide a running commentary on settings screens — which can include some suggestive prompts to agree to its T&Cs. “If you don’t agree, y’know, no Windows!” the human-sounding robot says at one point. It’s not clear whether the Dutch agency’s concerns extend to Microsoft’s use of Cortana to nudge users during the Windows 10 consent flow.