France drops privacy law complaints against Windows 10

Kit McDonald

Since the launch of Windows 10, Microsoft has been in some hot water about its method of data collection. The Commission Nationale de l’Informatique et des Libertés (CNIL) were concerned for their French users, performing seven tests last year on Windows 10. Originally, they found that the operating system was over-collecting data, tracking browsing without consent, and raised some security concerns about the User data.

Microsoft countered that Windows 10 wasn’t actually violating personal privacy. However, after some adjustment on Microsoft’s part, the CNIL announced this week that they are now dropping the complaints against Windows 10 (via Thurrott). Today, the French regulators announced that Windows 10 now complies by offering a large amount of data collection choices on the user’s end.

The CNIL has closed the formal proceedings against Microsoft in light of the following changes (roughly translated):

Whether the data collected are irrelevant or excessive

  • The company has reduced the volume of data collected under the “base” level of its telemetry service by nearly half, identifying system problems and solving them. It limited this collection to the data strictly necessary to maintain the system and applications in good working order and to ensure their safety.

On the lack of consent of persons

  • The users are now informed, by a clear and precise mention, that an advertising identifier is destined to follow their navigation to offer them targeted advertising. In addition, the installation procedure for Windows 10 has been modified: users can not finalize the installation until they have expressed their choice of enabling or disabling the ad identifier. They may, moreover, return at any time to that choice.

On the safety fault

  • The company has strengthened the robustness of the 4-digit PIN code, enabling users to authenticate themselves to access all of the company’s online services, including their Microsoft accounts, with over-common combinations being denied. In addition, in the case of incorrect entry, the company has set up an authentication timing mechanism (temporary suspension of access, the duration of which increases as attempts are made).

In addition, in accordance with the other injunctions of the formal notice, the company:

  • Inserted information in accordance with Article 32 of the law “Informatique et Libertés”;
  • Made requests for authorization from the CNIL for its anti-fraud treatment;
  • Privacy Shield to govern international transfers of personal data;
  • Put an end to the deposit of cookies without prior compilation of the consent of Internet users when consulting most of its Windows 10 websites and committed to do so for the whole before September 30, 2017.

Microsoft is formally being cleared of the injunctions by the French regulators. Of course, while most of the data collection is opt-in, most of it continues to be turned on by default, leaving most consumers to gloss over the fine print. However, in the case of CNIL vs Microsoft, it seems that is enough to meet the official standards.