Regulators say Microsoft is collecting too much information on Windows users without informing them how that data is being used
The EU’s data protection authorities are still “concerned” about the data collection practices built into Windows 10, after Microsoft announced changes to the operating system, they have said in an official letter to the company.
The letter follows previous criticism of Windows 10 by the Article 29 Working Party, or WP29, made up of the EU’s 28 data protection watchdogs, including the UK Information Commissioner’s Office (ICO), which last year expressed “serious concerns” on the levels of data collected by Microsoft.
Data protection ‘violations’
France’s CNIL, which currently leads the group, last July demanded Microsoft to “halt the excessive collection of data and the tracking of users’ browsing without their consent”.
It argued Windows 10 includes “numerous infractions” with regard to data protection laws, including the collection of too much personal data under a telemetry programme intended to keep the software running properly, and criticised Microsoft for activating by default, without user knowledge or consent, a tracking tool intended to deliver targeted advertising.
In August the US’ Electronic Frontier Foundation (EFF) echoed the CNIL’s comments, criticising Windows 10 for sending an “unprecedented amount of usage data back to Microsoft”, including location data, text input, voice input, touch input, web pages visites, and telemetry data including programs run and for how long.
In response, Microsoft announced a Windows 10 update in January – the ‘Creators Update’, scheduled for release this spring – which includes a web-based dashboard that prompts users to select the level of data-sharing desired.
The settings screen appears for new installs, and existing users will also see a prompt asking them to choose their privacy settings, according to Microsoft.
‘Not enough information’
But in its letter to Microsoft chief executive Satya Nadella, excerpts of which were published by several media outlets, the WP29 said Microsoft’s use of the data it collects remains unclear.
“Even considering the proposed changes to Windows 10, the Working Party remains concerned about the level of protection of users’ personal data,” the group said, while acknowledging Microsoft’s goodwill and willingness to cooperate.
It isn’t enough to present users with choices about data collection when they don’t have any way of understanding what their choices mean, the group said.
“Microsoft should clearly explain what kinds of personal data are processed for what purposes,” it wrote. “Without such information, consent cannot be informed, and therefore, not valid.”
Microsoft didn’t immediately respond to a request for comment.
The company said at a conference in Australia on Monday it is planning a second major Windows 10 release this year, after the Creators Update, which is expected to include design elements from the Neon user-interface project.
Last year the WP29 also took Facebook’s WhatsApp and Yahoo to task over their data-sharing practices, which the group argued may violate European data-protection laws.
How much do you know about privacy? Try our quiz!