Microsoft is under the gun in France, after the company was ordered by the French data protection authority to curtail its “excessive” collection of user data on the Windows 10 operating system, and at the same time stop tracking user browsing activity in order to serve targeted ads.

The Commission Nationale de l’Informatique et des Libertés (CNIL) served a formal notice stating that Microsoft has three months to comply with the French Data Protection Act. The issues found, which are numerous, were a result of a contact group investigation into Microsoft and its Windows 10 OS created by a number of European Union data protection authorities.

The issues are as follows:

A lack of security:

The company allows users to choose a four characters PIN to authenticate themselves for all its on-line services, notably to access to their Microsoft account, which lists purchases made in the store and the payment instruments used, but the number of attempts to enter the PIN is not limited, which means that user data is not secure or confidential.

Lack of individual consent:

An advertising ID is activated by default when Windows 10 is installed, enabling Windows apps and other parties’ apps to monitor user browsing and to offer targeted advertising without obtaining users’ consent.

Lack of information and no option to block cookies:

The company puts advertising cookies on users’ terminals without properly informing them of this in advance or enabling them to oppose this.

Data still being transferred outside EU on a “safe harbour” basis:

The company is transferring its account holders’ personal data to the United States on a “safe harbour” basis but this has not been possible since the decision issued by the Court of Justice of the European Union on 6th October 2015.

Not a sanction … yet

CNIL has said that the notice has not been issued to stop advertising appearing on Microsoft services, but to “enable users [10 million of them in French territory] to make their choice freely, having been properly informed of their rights.”

This is not a sanction, says CNIL, but if Microsoft fails to comply with the notice within the timescale given a sanction could be issued.

It’s reported that a new European Union data protection law could come into effect within the next two years. At the moment fines by EU data protection authorities may seem small in view of Microsoft’s revenue, but with the new aforementioned law, fines could be as much as 4 percent of a company’s worldwide turnover.

Microsoft has already responded to the notice, with the company’s vice president and deputy general counsel, David Heiner, saying that Microsoft built strong privacy protections into Windows 10. He also said that Microsoft would work closely with CNIL to ensure solutions are found.

Microsoft has still been using the Safe Harbour Framework to transfer the data of European citizens to the US even though the Safe Harbour agreement was declared invalid by the European Court of Justice in 2015.

Heiner noted that Microsoft, as well as using the Safe Harbor Framework, also relies on various legal agreements to transfer data over to the U.S. This, he said, included, “Standard contractual clauses, a data transfer mechanism established by the European Commission and approved by European data protection authorities.”

On August 1^st this year a revised data transfer Privacy Shield agreement between the U.S. and EU will be available to sign and Microsoft has stated it is pleased with the pact.

Photo credit: Josh Hallet via Flickr