Last year, the French Data Protection Authority (DPA) accused Microsoft of “excessive data collection” in Windows 10. The company has made a few privacy improvements to Windows 10 since then, but the Dutch DPA believes Microsoft is still not explicit enough about the sort of tracking it does to Windows 10 users and how it uses their data.

Breaching EU Data Protection Law

The Dutch DPA investigated Windows 10 Home and Pro and found that Microsoft still doesn’t properly inform users about the type of data it collects, nor for what purpose. Because of the company’s approach to data collection, the users can’t provide valid consent to Microsoft, according to the EU data protection legislation.

The Dutch DPA mentioned that Microsoft doesn’t inform users when it continuously collects personal data about the usage of apps and web surfing behavior in the Edge browser, when the default settings are used.

“It turns out that Microsoft’s operating system follows about every step you take on your computer. That results in an intrusive profile of yourself”, according to Wilbert Tomesen, vice-chairman of the Dutch DPA.
“What does that mean? Do people know about this, do they want this? Microsoft needs to give users a fair opportunity to decide about this themselves,” he added.

Telemetry Data And Its Unpredictable Use

Microsoft offers two levels of telemetry: basic and full. On the Windows Home and Pro versions there’s no way to completely turn-off the telemetry system. At the basic level, some limited technical data about the device usage is processed, while with full telemetry enabled, Microsoft also processes app usage as well as web surfing through Edge. Parts of the handwritten content via an inkpad are also sent to Microsoft for processing.

According to the Dutch DPA, the purpose of telemetry is two-fold. The first is to help Microsoft fix Windows for devices on which it experiences errors, and the second is for Microsoft to serve personalized ads to Windows 10 users.

The DPA said that Microsoft does offer users a good overview of what the basic telemetry level is about, but the company describes the full telemetry level in a much more general way. The collection of the full telemetry data is thus more unpredictable. Because of this lack of transparency, the DPA believes that Microsoft doesn’t have the legal ground to obtain the data through well informed user consent.

The Dutch DPA exemplified the fact that Microsoft collects data about which news articles users read in the Edge browser, without making them aware that this data is being collected.

According to the Dutch authority, the full telemetry option is enabled by default at Windows 10 installation and users are only asked to accept the offered setting. Another option that’s enabled by default in a similar way also gives Microsoft and app developers permission to use the data for personalized ads.

However, having data collection settings enabled by default and then asking users to simply agree to those settings breaches the EU data protection requirements for explicit consent. Microsoft needs to make it clear to users that they can reject the data collection as well. Right now, most users may think their only option is to accept the full telemetry level.

Microsoft also “upgraded” users who had manually selected the basic telemetry option themselves to the full telemetry level when they installed the Windows 10 Creators Update over their previous version of Windows 10. Facebook used to do something similar by making users’ posts more public almost every time it updated its privacy policy.

According to the Dutch DPA, Microsoft has already said that it intends to stop all of these violations of the EU data protection law. However, the company made a similar promise last year to avoid being fined by the French DPA, too, so it remains to be seen if the changes Microsoft plans to make in a future Windows 10 update will indeed follow all of the law’s requirements.