The Dutch data protection authority has concluded that Microsoft’s Windows 10 operating system breaches local privacy law on account of its collection of telemetry metadata. The OS has been available since the end of July 2015.
Personal data being harvested by default by Microsoft can include the URL of every website visited if the Windows 10 user is browsing the web with Microsoft’s Edge browser (and has not opted out of full telemetry), as well as data about usage of all installed apps on their device — including frequency of use; how often apps are active; and the amount of seconds usage of mouse, keyboard, pen or touchscreen.
Microsoft says it gathers and processes Windows 10 users’ data in order to fix errors, keep devices up-to-date and secure and improve its own products and services.
But if users have not opted out it also uses data from both a basic and full telemetry level to show personalised advertisements in Windows and Edge (including all apps for sale in the Windows store), and also for showing personalised advertisements in other apps.
According to the local DPA there are more than 4 million active devices using Windows 10 Home and Pro in the Netherlands.
After investigating several versions of the OS (including Windows 10 Home and Pro), the Dutch DPA said today it has identified multiple breaches of data protection law.
“Microsoft does not clearly inform users about the type of data it uses, and for which purpose. Also, people cannot provide valid consent for the processing of their personal data, because of the approach used by Microsoft. The company does not clearly inform users that it continuously collects personal data about the usage of apps and web surfing behaviour through its web browser Edge, when the default settings are used,” it writes.
“Due to Microsoft’s approach users lack control of their data. They are not informed which data are being used for what purpose, neither that based on these data, personalised advertisements and recommendations can be presented, if those users have not opted out from these default settings on installation or afterwards.”
The Dutch DPA’s assertion here, with Windows 10, is that Microsoft is failing to obtain “valid consent for the processing of [people’s] personal data” under current EU DP law — pointing out that, for example, it uses “opt-out options” so does not obtain “unambiguous consent”.
It further notes: “If a person does not actively change the default settings during installation, it does not mean he or she thereby gives consent for the use of his or her personal data.”