Privacy of Windows users greatly improved following Dutch DPA investigation
Following an investigation by the Dutch Data Protection Authority (DPA), Microsoft has greatly improved the privacy of Windows users. In October 2017 the Dutch DPA concluded that Microsoft was collecting telemetry data from Windows 10 Home and Windows 10 Pro users contradictory to privacy legislation. Microsoft plans to rectify the situation through the next Windows update (April 2018), which will be implemented across the entire European Union.
Microsoft continuously collects technical performance and user data. This includes which apps are installed and, if the user has not changed the default settings, how often apps are used, as well as data on web surfing behaviour. These data are called ‘telemetry data’. Microsoft takes continuous pictures – as it were – of the behaviour of Windows users and sends them to itself.
Rectification via new update
Microsoft plans to rectify the situation through the next Windows 10 update in April 2018. This will end the violations noted in the Dutch DPA’s investigation report. Microsoft will ensure that users are better informed about the data it collects and what this data is used for. In addition, users can take active, straightforward steps to control their own privacy settings. In light of the new EU privacy law (the General Data Protection Regulation), which comes into force on 25 May 2018, the Dutch DPA has insisted that the update be implemented across the entire EU. Microsoft has agreed to do this, and the Dutch DPA will monitor implementation.
Violations by Microsoft
In the Netherlands over 4 million active devices use Windows 10 Home and Pro. In October 2017, following an investigation into Windows 10 Home and Pro, the Dutch DPA concluded that the way Microsoft was processing the data of Windows users breached the law. Microsoft did not clearly inform users about the type of data it uses, and for what purpose. It was also not possible for people to provide valid consent for the processing of their personal data due to the approach used by Microsoft. The company failed to make it clear that, as a result of default settings, it continuously collected data on the use of apps and web surfing behaviour through its web browser Edge.
Due to Microsoft’s approach users lacked control over their personal data. They did not know which data was being used for what purpose. And they did not know that they could be presented with personalised advertisements and recommendations on the basis of this data, if they did not turn off the default settings.
Press release / 13 October 2017Dutch DPA: Microsoft breaches data protection law with Windows 10