After accusations that Windows 10 collects too much data about users, France's National Data Protection Commission (CNIL) has order Microsoft to comply with the French Data Protection Act within three months. The company has been ordered to "stop collecting excessive data and tracking browsing by users without their consent".
In addition to this, the chair of CNIL has notified Microsoft that it needs to take "satisfactory measures to ensure the security and confidentiality of user data". The notice comes after numerous complaints about Windows 10, and a series of investigations by French authorities which revealed a number of failings on Microsoft's part.
Microsoft is accused of not only gathering excessive data about users, but also irrelevant data. The CNIL points to Windows 10's telemetry service which gathers information about the apps users have installed and how long each is used for. The complaint is that "these data are not necessary for the operation of the service".
The company is also criticized for its lack of sufficient security -- such as the four-digit PIN used to protect payment information which does not have a limit on the number of guesses that can be made. The CNIL's list of complaints does not end there. It also took exception to the activation of an advertising ID for tailored advertising without user consent, the lack of cookie blocking options, and the fact that data is being transferred out of Europe to the US.
In a statement, the CNIL said:
Given the above, the Chair of the CNIL has decided to issue a formal notice to Microsoft Corporation to comply with the Act within three months. This proceedings only commits French Data protection authority. The other data protection authorities belonging to the WP29 Contact group are continuing their investigations within their respective national procedures.
The purpose of the notice is not to prohibit any advertising on the company’s services but, rather, to enable users to make their choice freely, having been properly informed of their rights.
It has been decided to make the formal notice public due to, among other reasons, the seriousness of the breaches and the number of individuals concerned (more than ten million Windows users on French territory).
Microsoft has now issued a response to the notice.