Microsoft’s Windows 10 breaches privacy law: DPA

14 Oct 2017

The Dutch Data Protection Authority (DPA) has said the lack of clear information about how Microsoft uses the data that Windows 10 collects prevents consumers from giving their informed consent. The regulator said the operating system is breaking the law.

To comply with the law, according to the DPA, Microsoft needed to get valid user consent: which meant the company must be clearer about the type of data it collected and how that data is processed.

The regulator has also complained that the Windows 10 Creators Update did not always respect previously chosen settings about data collection.

Microsoft introduced new, clearer wording about the data collection, in the Creators Update, though the language still was not explicit about what was collected and why.

It also forced everyone to re-assert their privacy choices through a new settings page. In some situations, however, that page defaulted to the standard Windows options rather than defaulting to the settings earlier chosen.

Though Microsoft has listed all the data collected in Windows 10's "Basic" telemetry setting in the Creators Update, it has not done so for the "Full" option, and the Full option remains the default.

The Windows 10 privacy options continued to be a  work in progress for Microsoft. The Fall Creators Update, to be released on 17 October, makes further changes to the way the operating system and applications collect data and the consent required to do so.

The personal data Microsoft collects by default includes  the URL of every website visited if the Windows 10 user is browsing the web with Microsoft's Edge browser (and has not opted out of full telemetry), as also about usage of all installed apps on their device - including frequency of use; how often apps are active; and the amount of seconds usage of mouse, keyboard, pen or touchscreen.