If you are one of the estimated 400 million users of Microsoft’s Windows 10 around the world, you will want to know all about the latest ruling from the Dutch Data Protection Agency (DPA), which has declared that the operating system seriously breaches Dutch Data Protection laws.
But whilst the ruling may only apply to the 4 million Windows 10 users in Netherlands, the details of the DPA’s findings will be of interest to all users.
Multiple Data Protection breaches
The DPA has been investigating several versions of the Window’s Operating system, most notably the Windows 10 Home and Pro versions. In their ruling, the DPA has highlighted multiple breaches of Dutch Data Protection Law.
The first fault relates to Microsoft’s failure to adequately inform users about what data it uses and for what purpose. The range of data Windows 10 can harvest is extraordinary and can include the URLs of every website visiting using Microsoft’s Edge browser and data about how any apps uploaded onto Windows are being used.
It is possible to opt out of this, but that process is clear and according to the DPA, Microsoft does not make clear to users how their data is being used if the default settings are not changed.
The reasons for Microsoft’s data collection is “described in a very general way” but the DPA says, “The way Microsoft collects data at the full telemetry level is unpredictable… Through [a] combination of purposes and the lack of transparency Microsoft cannot obtain a legal ground, such as consent, for the processing of data.”
Microsoft claims that any data it collects is used to “fix errors, keep devices up-to-date and secure and improve its own products and services” but it is clear that Windows 10 also uses data to deliver personalised adverts in Windows, Edge, and other apps running on the operating system.
Windows 10 “follows you”
The vice-chairman of the Dutch DPA, Wilbert Tomesen, gave a damning assessment of how Windows 10 operates which will deeply worry many users. He said in a statement that “It turns out that Microsoft’s operating system follows about every step you take on your computer. That results in an intrusive profile of yourself.”
“Microsoft needs to give users a fair opportunity to decide about this themselves,” he concluded. At present, the DPA has not taken action against Microsoft for the violations because it says that Microsoft has indicated to them that they want to comply with Dutch Law. They do however reserve the right to impose a financial penalty if they fail to improve Windows 10.
They are not the first country to threaten Microsoft with sanctions for the lax privacy provisions in Windows 10. The French Data Protection body, the Commission Nationale de L’informatique et des libertés (CNIL) gave them 3 months to bring the software in line with French laws back in July 2016. And the EU too has raised concerns on several occasions.
But while Microsoft has made some changes, including the introduction of a new privacy dashboard at the start of this year, the problems remain.
Microsoft set to challenge ruling
For their part, Microsoft has issued a robust response on their company blog, issuing a point-by-point rebuttal of where it disagrees with the DPA findings and saying they have shared “specific concerns” with them about the “accuracy of some of its findings and conclusions”.
They went on to say “We welcome the opportunity to continue to work with the Dutch DPA on their comments related to Windows 10 Home and Pro, and we will continue to cooperate with the DPA to find appropriate solutions… It is a priority for us that Windows 10 Home and Windows 10 Pro are clearly compliant under Dutch law.”
Consolidatory words, but the numerous challenges Microsoft has issued to the ruling suggests a battle over the semantics of the DPA’s findings rather than an effort to find a solution in the best interests of their users.
The story goes to emphasise the point that data is a hugely valuable commodity to all of these tech companies and they will endeavour to get hold of it to maximise profit for their business. It is therefore vital that regulatory bodies like the DPA are given the powers to stand up to them and users are made aware of the concerns they raise.
In Europe, the situation will become a whole lot tougher when the new EU Data Projections Framework comes into force. But this new law will only be worth the paper it’s written on if regulators are given the power to properly enforce it.