Dutch DPA says Microsoft breaches data protection laws with Windows 10

Arif Bacchus

Windows 10 Logo Featured Image Generic Hero

Microsoft has faced criticism over privacy issues in the Windows 10 operating system in the past, and it is looking as though the issue just won’t disappear. In the newest saga, the Dutch Data Protection Authority (DPA) is finding that Microsoft is breaching local data protection laws with Windows 10 Home and Pro (via TechCrunch.)

Specifically, in Windows 10 Home and Pro, the DPA finds that Microsoft does not clearly inform users about the type of data it is collecting, and for which purpose. The Dutch agency has issues with basic and full telemetry, the purposes of telemetry, and consent for telemetry in Windows 10. Here is a bit more on what the DPA is saying:

People cannot provide valid consent for the processing of their personal data, because of the approach used by Microsoft. The company does not clearly inform users that it continuously collects personal data about the usage of apps and web surfing behaviour through its web browser Edge, when the default settings are used. Microsoft has indicated that it wants to end all violations. If this is not the case, the Dutch DPA can decide to impose a sanction on Microsoft.

The DPA issued a lengthy release about the matter, in which it is explained that there are nearly 4 million active Windows 10 devices with Windows 10 Home and Pro in the Netherlands. From the release, it is apparent that the DPA has an issue with the way that Microsoft “continuously collects technical performance and user data from the devices.” The DPA is lead to believe that this telemetry data “take pictures” of the way Windows 10 users behave in the OS, creating an “intrusive profile.”

These data are called ‘telemetry data’. With telemetry Microsoft – as it were – takes pictures of the behavior of Windows users, and continuously sends these pictures to itself. Due to Microsoft’s approach users lack control of their data. They are not informed which data are being used for what purpose, neither that based on these data, personalized advertisements and recommendations can be presented, if those users have not opted out from these default settings on installation or afterward.

Windows 10 Creators Update Privacy Settings
The Creators Update introduced simplified privacy settings during the set up experience

To be fair, with the Creators Update, Microsoft made changes to the way that Windows 10 handles privacy-related settings. and the company previously said that it has reduced by about half the volume of data we collect at the “Basic” level. The changes were well received by users and have been called positive. This, though, is apparently not enough for the DPA, which says that the privacy settings are only shown in a “general way” and are “unpredictable.”

Microsoft responded to the DPA accusations shortly after in a blog post, where the company highlights various privacy-related changes in the Creators Update.

I want our customers to know that it is a priority for us that Windows 10 Home and Windows 10 Pro are clearly compliant under Dutch law.

We’ve made improvements to ensure all versions of Windows 10 meet our customers’ privacy needs and expectations. For example, we’ve worked with Swiss and French data protection authorities to incorporate their guidance, subsequently improving the privacy controls in Windows 10 Home and Pro and earning their positive assessments of the changes.

We welcome the opportunity to continue to work with the Dutch DPA on their comments related to Windows 10 Home and Pro, and we will continue to cooperate with the DPA to find appropriate solutions.

Microsoft also dismissed the DPA’s claims by citing a Fact Sheet, which points to all the privacy improvements introduced in the Creators Update. The DPA has not yet responded to Microsoft’s rebuttal, meaning there is definitely more time for this latest saga to develop.