Updated, 8/29/19, 6:55am PT: The Irish Data Protection Commission responded to our request for comment with the following statement. "The data protection concerns regarding Microsoft Windows were communicated to the Irish Data Protection Commission (DPC) by the Dutch Data Protection Authority in July. Since then the DPC has been liaising with the Dutch DPA to further this matter. The DPC has had preliminary engagement with Microsoft and, with the assistance of the Dutch authority, we will shortly be engaging further with Microsoft to seek substantive responses on the concerns raised.” The commission didn't offer further details about what exactly the DPA was concerned about or how the investigation will proceed.
Updated, 8/28/19, 12:57 p.m. PT: Microsoft responded to our request for comment; the company's statement can be found below.
Original article, 8/28/19, 10:32 a.m. PT:
Microsoft's attempts to appease European Union regulators have fallen short. The Dutch Data Protection Agency (DPA) announced yesterday that it asked the Irish Data Protection Commission (DPC) to investigate "new, potentially unlawful, instances of personal data processing” in Windows 10.
The DPA originally complained about Windows 10's data collection in 2017. Microsoft responded by improving the operating system's privacy with the Windows 10 April 2018 Update, but in doing so it also introduced "new processing of personal data that might be unlawful," as the DPA put it. (The agency's announcement was only published in Dutch; an English translation was not available at time of writing.) So it wants the DPC to investigate.
Dutch regulators can't investigate these claims themselves because Microsoft, like many U.S. tech companies looking to enjoy low tax rates, headquartered its European business in Ireland. Call it the luck of the Irish: now the DPC must serve as a go-between for the DPA and Microsoft. TechCrunch reported yesterday that the DPC confirmed the DPA's announcement and said it's had "preliminary engagement with Microsoft."
Neither the DPA nor the DPC have elaborated on how Microsoft's updates to Windows 10 allegedly introduced new privacy violations. The DPA only said in its announcement that it "advises users of Windows to pay close attention to privacy settings when installing and using this software" because "Microsoft may process personal data at the moment that permission has been requested for this in the correct manner." (Per Google Translate.)
We've reached out to the DPC and Microsoft for more information about the DPA's complaints. Microsoft responded with the following statement:
“The Dutch data protection authority has in the past brought data protection concerns to our attention, which related to the consumer versions of Windows 10, Windows 10 Home and Pro. We will work with the Irish Data Protection Commission to learn about any further questions or concerns it may have, and to address any further questions and concerns as quickly as possible. [...] Microsoft is committed to protecting our customers’ privacy and putting them in control of their information. Over recent years, in close coordination with the Dutch data protection authority, we have introduced a number of new privacy features to provide clear privacy choices and easy-to-use tools for our individual and small business users of Windows 10. We welcome the opportunity to improve even more the tools and choices we offer to these end users.”
Windows 10 has suffered numerous privacy issues since its debut, which is why we advise people to make sure every privacy-related setting is set to "off" when they set up a new PC. Whether the DPC's investigation results in changes to Windows 10 or its default remains to be seen.