Dutch DPA: Windows 10 Still Violates EU Data Protection Law

Last year, the French Data Protection Authority (DPA) accused Microsoft of “excessive data collection” in Windows 10. The company has made a few privacy improvements to Windows 10 since then, but the Dutch DPA believes Microsoft is still not explicit enough about the sort of tracking it does to Windows 10 users and how it uses their data.

Breaching EU Data Protection Law

The Dutch DPA investigated Windows 10 Home and Pro and found that Microsoft still doesn’t properly inform users about the type of data it collects, nor for what purpose. Because of the company’s approach to data collection, the users can’t provide valid consent to Microsoft, according to the EU data protection legislation.

The Dutch DPA mentioned that Microsoft doesn’t inform users when it continuously collects personal data about the usage of apps and web surfing behavior in the Edge browser, when the default settings are used.

“It turns out that Microsoft’s operating system follows about every step you take on your computer. That results in an intrusive profile of yourself”, according to Wilbert Tomesen, vice-chairman of the Dutch DPA. “What does that mean? Do people know about this, do they want this? Microsoft needs to give users a fair opportunity to decide about this themselves,” he added.

Telemetry Data And Its Unpredictable Use

Microsoft offers two levels of telemetry: basic and full. On the Windows Home and Pro versions there’s no way to completely turn-off the telemetry system. At the basic level, some limited technical data about the device usage is processed, while with full telemetry enabled, Microsoft also processes app usage as well as web surfing through Edge. Parts of the handwritten content via an inkpad are also sent to Microsoft for processing.

According to the Dutch DPA, the purpose of telemetry is two-fold. The first is to help Microsoft fix Windows for devices on which it experiences errors, and the second is for Microsoft to serve personalized ads to Windows 10 users.

The DPA said that Microsoft does offer users a good overview of what the basic telemetry level is about, but the company describes the full telemetry level in a much more general way. The collection of the full telemetry data is thus more unpredictable. Because of this lack of transparency, the DPA believes that Microsoft doesn’t have the legal ground to obtain the data through well informed user consent.

The Dutch DPA exemplified the fact that Microsoft collects data about which news articles users read in the Edge browser, without making them aware that this data is being collected.

According to the Dutch authority, the full telemetry option is enabled by default at Windows 10 installation and users are only asked to accept the offered setting. Another option that’s enabled by default in a similar way also gives Microsoft and app developers permission to use the data for personalized ads.

However, having data collection settings enabled by default and then asking users to simply agree to those settings breaches the EU data protection requirements for explicit consent. Microsoft needs to make it clear to users that they can reject the data collection as well. Right now, most users may think their only option is to accept the full telemetry level.

Microsoft also “upgraded” users who had manually selected the basic telemetry option themselves to the full telemetry level when they installed the Windows 10 Creators Update over their previous version of Windows 10. Facebook used to do something similar by making users’ posts more public almost every time it updated its privacy policy.

According to the Dutch DPA, Microsoft has already said that it intends to stop all of these violations of the EU data protection law. However, the company made a similar promise last year to avoid being fined by the French DPA, too, so it remains to be seen if the changes Microsoft plans to make in a future Windows 10 update will indeed follow all of the law’s requirements.

Lucian Armasu
Lucian Armasu is a Contributing Writer for Tom's Hardware US. He covers software news and the issues surrounding privacy and security.
  • Ditt44
    1. MS will never change. They'll dance the dance, especially in the US where laws allow pervasive data collection;

    2. AGAIN with the freaking 'pop-up/chase me' video boxes??? MY GOD people. Enough. You managed to remove them for a few months. Sad little devs trying to sneak them back in again...thinking people have forgotten? Bah.
  • ssdpro
    1. MS has no reason to change. MS doesn't invade anyone's privacy. The user purchases a license to use the product, the user agrees to the terms and conditions, the user accepts functionality by licensing the product. If MS products were forced on people and data was collected on those people then that would be an invasion of privacy.

    2. Agreed.
  • hellwig
    How is Microsoft allowed to "avoid" the fine after they've already broken the law? If they are found to be violating the law, fine them, and continue fining them until they fix it.

    These corporations are not dumb, they know EXACTLY what they're doing. They capture ALL information, and then keep pairing it back until people stop complaining. They should be FORCED to limit collection reasonably from the get-go.

    Imagine if you stole a car in the U.S. and drove it across a state-line. Boom, that's a Federal Crime so the FBI is after you. But instead of arresting you, they just made you promise not to steal a car AND drive it across the line next time. So the next time, you just steal a car and drive it one county over. Boom, now it's a local crime. The FBI is placated and you go about your business. Oh, and at no point are you required to RETURN any of the cars.

    The world doesn't work that way for people, why does it work that way for corporations?
  • jeffreydanielbyers
    Did you even read the article?
  • JonDol
    I decided long ago to not wait for MS to fix their snooping policy and I use some tools like DoNotSpy10 and W10Privacy that stop many if not all (am I too naïve ?) data collection and sending. Then inspired by the features of these Windows 10 tools I applied some of their features back to my other Windows 8.1/7 machines and I don't count on stopping to use these tools...
  • mihen
    So... how is Android still able to be sold in the EU with these laws since they do far worse snooping and selling of user data.
  • JonDol
    @mihen: I think there are still enough money to "suck" from MS, Google and Facebook so there is no really need in EU to look further but I have no fear that the Android's time is not too far.

    Some examples from my mother's brand new Android phone: by default it stores the WiFi password (one of my best preserved secrets, btw) in the cloud, the calculator app had access to location and contacts etc. On that brand new phone with 2-3 apps installed, I needed about two hours to reduce the preinstalled apps permissions to the minimum required for their job and clean all their stored data...

    One day, one day...
  • RomeoReject
    Mihen, I'm not sure how it factors, but my last two phones both asked for permissions EVERYTHING the first time they were run (Hell, even Chrome had to ask). I was allowed to deny permissions, though the individual app that was denied wouldn't run as a result.

    I would assume Microsoft is in trouble because there is no true "Deny" option. It's only "Yes" or "Somewhat Yes".
  • Christopher1
    Microsoft to Dutch DPA: Quit whining or we will just pull our software totally from your region and the entire EU if we have to!

    Really, I am big on privacy but I see this as a bunch of whining by the E.U.
    Everything that Microsoft 'harvests' from Windows 10 is anonymized. They cannot find out who you are simply from that anonymized stuff.
  • Christopher1
    20278757 said:
    I would assume Microsoft is in trouble because there is no true "Deny" option. It's only "Yes" or "Somewhat Yes".
    There is only a "Yes" or "Somewhat Yes" option because Cortana DOES NOT WORK PROPERLY if you turn everything off.
    Really people get used to the fact that Microsoft is going to be harvesting data but remember this: ALL ANONYMIZED!

    They cannot track anything back to you in the real world or at least not easily!

    I would be much more worried about using any random website on the internet and having their tracking software track me.