France serves notice to Microsoft on ‘excessive’ data tracking

France on Wednesday said it had served notice to Microsoft to stop collecting what it deems excessive data and tracking browsing by users without their consent on civil liberty grounds. The National Data Protection Commission (CNIL) said in a statement that it had given the US computing giant three months to comply with the French Data Protection Act to ensure user data security and confidentiality.

The agency said media and political groups brought the issue to its attention after Microsoft launched its latest Windows 10 operating system a year ago. CNIL undertook seven “online observations” to determine the extent of the problem and questioned Microsoft Corporation on its privacy policy to see if Windows 10 fully complied with French data protection legislation, the agency said.

Those investigations “revealed many failures” including collection of “irrelevant or excessive (user) data”, the statement said.

CNIL also criticized Microsoft over the four-character PIN number that enables users to authenticate access to online services, saying the tech giant failed to limit the number of attempts to enter the correct code, threatening data and personal security.

The agency condemned Windows 10’s use of targeted advertising without first obtaining users’ consent, as well as the operating system’s lack of a way to block cookies. “The company puts advertising cookies on users’ terminals without properly informing them of this in advance or enabling them to oppose this,” the statement said.

Microsoft is still transferring user data outside the European Union even though the European Court of Justice ruled on privacy grounds in October that the transfer of European citizens’ data to the United States under the obsolete “safe harbor” basis was no longer valid, CNIL said.

Should Microsoft fail to comply with the formal notice, CNIL would draw up a report on Data Protection Act breaches that could result in a fine of 150,000 euros ($165,000), the agency added. Microsoft said it would cooperate with CNIL to address its concerns.

“We built strong privacy protections into Windows 10, and we welcome feedback as we continually work to enhance those protections,” Microsoft vice president David Heiner said in a statement. Concerning transfer of data from Europe to the United States, Microsoft relies on a variety of legal mechanisms, in addition to “safe harbor”, he added.

After a legal wrangle over handling web data between Europe and the United States, the European Union earlier this month launched a controversial deal with Washington aimed at curbing government spying on EU citizens’ personal internet data.