Microsoft has been pulled up by the Dutch Data Protection Authority over the way it aggessively collects user data from Windows 10 PCs without offering customers clear ways for opting out.
Microsoft has refuted the allegation but has said it will work with Dutch authorities to ensure it conforms to data privacy laws.
‘Microsoft does not clearly inform users about the type of data it uses, and for which purpose,’ said the Dutch Data Protection Authority in a sharp commentary on Microsoft’s adherence to privacy laws.
‘People cannot provide valid consent for the processing of their personal data, because of the approach used by Microsoft,’ it added. ‘They are not informed which data are being used for what purpose, neither that based on these data, personalised advertisements and recommendations can be presented, if those users have not opted out from these default settings on installation or afterwards.’
The authority went on to state that Microsoft also didn’t inform users that it constantly collects personal data about the usage of apps and web surfing behaviour through its web browser Edge, if people do not change their default settings. The extent of data collection by Microsoft is such that it knows which apps are installed in a Windows 10 Home or Office machine, how often such apps are used, as well as other telemetry data on user behaviour.
Responding to the authority’s accusations, Microsoft has admitted that it does collect user data but only for essential purposes like improving the performance of the Windows operating system, quickly responding to threats and to fully personalise people’s Windows 10 experience.
The software giant also stressed that it offers clear ways for people to accept or refuse permission for Microsoft to collect diagnostic data. It added that not only does it inform users that it processes diagnostic data for personalisation, but also keeps updating its privacy settings to make it easier for users to make privacy choices.
The Dutch Data Protection Authority, on its part, stated that Microsoft offers users an overview of the categories of data that it collects through basic telemetry, but only informs people in a general way, with examples, about the categories of personal data it collects through full telemetry.
‘It is not made sufficiently clear that at the full telemetry level, Microsoft continuously collects data about the usage of apps and web surfing behaviour through Edge, including for example news articles that have been read and
locations entered into apps.
‘Microsoft has not respected existing privacy choices from some users when they upgraded to the Creators Update. This applies to the people who downloaded the operating system themselves. If they had previously selected basic telemetry in a prior Windows version and did not actively change the privacy settings upon installation of the Creators Update, the settings were switched to full telemetry level,’ it added.
Microsoft has refuted these allegations as well, stating that it is transparent about the diagnostic data it collects. However, it also said that collected data can be used for more than one specific requirement. For example, data collected for troubleshooting a reliability issue in Windows 10 can also be used to improve a security feature of Windows.
While Microsoft has stated that it does provide additional information on the data it collects by offering ‘Read more’ links on Privacy settings pages, it is clear that the Dutch Data Protection Authority wants Microsoft to disclose information in a way which average users can clearly access and understand before making privacy choices.
It remains to be seen how satisfied the Dutch authority will be with Microsoft’s response and whether it will force the company to change the way it either collects user data or to make changes in the ways it discloses data collection activities to users.