Windows 10 telemetry violates privacy laws
The data collecting activities of Windows 10 has landed Microsoft in trouble again. Investigating the telemetry built into the operating system, the Dutch Data Protection Authority (DPA) has said that Microsoft's spying is a violation of local privacy laws.
Of particular concern to the authority is the fact that users are not clearly told that data will be collected in both Windows itself and Microsoft Edge. With Microsoft's web browser gathering data about every URL that's visited by users who have not opted out of telemetry, and Windows 10 itself sucking up detailed information about app usage, the DPA is concerned that users are not adequately informed or protected.
- OnePlus opens up about its secret data collection and promises an opt-out opportunity
- Telemetry: OxygenOS secretly collects user data, sending OnePlus a wealth of information
The DPA -- the latest European authority to take exception to Microsoft's activities -- says that there are more than 4 million Windows 10 Home and Windows 10 Pro devices in the Netherlands. It notes that users are not informed about data collection properly, nor are they told about how the data will be used. This places Microsoft in violation of the Dutch data protection law.
The DPA says:
Microsoft does not clearly inform users about the type of data it uses, and for which purpose. Also, people cannot provide valid consent for the processing of their personal data, because of the approach used by Microsoft. The company does not clearly inform users that it continuously collects personal data about the usage of apps and web surfing behaviour through its web browser Edge, when the default settings are used.
The authority is calling on Microsoft to make changes to telemetry settings, or the company could find that it faces sanctions in the Netherlands. Wilbert Tomesen, vice-chairman of the Dutch DPA, says:
It turns out that Microsoft's operating system follows about every step you take on your computer. That results in an intrusive profile of yourself. What does that mean? Do people know about this, do they want this? Microsoft needs to give users a fair opportunity to decide about this themselves.
Microsoft is understandably keen to resolve the matter, with Windows and devices group privacy officer Marisa Rogers saying that the company is willing to work with the DPA to get things sorted out. She says:
I want our customers to know that it is a priority for us that Windows 10 Home and Windows 10 Pro are clearly compliant under Dutch law.
Since launching Windows 10, we've been on a journey listening to feedback from customers and collaborating with regulators around the world. As a result, we've made improvements to ensure all versions of Windows 10 meet our customers' privacy needs and expectations. For example, we've worked with Swiss and French data protection authorities to incorporate their guidance, subsequently improving the privacy controls in Windows 10 Home and Pro and earning their positive assessments of the changes.
This year we have released a new privacy dashboard and several new privacy features to provide clear choices to our customers and easy-to-use tools in Windows 10. Next week, we have even more privacy improvements coming in the Fall Creators Update.
We welcome the opportunity to continue to work with the Dutch DPA on their comments related to Windows 10 Home and Pro, and we will continue to cooperate with the DPA to find appropriate solutions.
But Microsoft is not entirely happy with the investigations carried out by the DPA. While the company does not elaborate on what it disagrees with, Rogers says:
We have also shared specific concerns with the Dutch DPA about the accuracy of some of its findings and conclusions. A summary of the points in the DPA's announcement, which we believe do not accurately reflect the data protection compliance of Windows 10 Home and Windows 10 Pro under Dutch law, can be found here.