French Regulator Accepts Microsoft's Data Protection Improvements to Windows 10
3.7.2017 securityweek Privacy
CNIL Accepts Microsoft's Data Protection Improvements to Windows 10
CNIL, the French data protection regulator, has closed the formal notice procedure it served on Microsoft on June 30, 2016 over privacy concerns relating to Windows 10. "Since then," says CNIL, "the company has brought itself into line with data protection rules, the formal notice procedure has therefore been closed."
In a statement emailed to SecurityWeek, Microsoft commented, "We are committed to protecting our customers' privacy and putting them in control of their information. We appreciate the French data protection authority's decision and will continue to provide clear privacy choices and easy-to-use tools in Windows 10."
The notice was served last year with three particular concerns: the excessive collection of personal data; the tracking of users' web-browsing without their consent; and a lack of security and confidentiality of users' data. Since then, Microsoft has addressed each issue to CNIL's satisfaction.
On the first, Microsoft has reduced the amount of data it collects by nearly half. "it has restricted its collection to the sole data strictly necessary for maintaining the proper functioning of its operating system and applications, and for ensuring their security," notes CNIL.
On the second concern, Microsoft now makes it clear that an advertising ID is intended to track web-browsing in order to offer personalized advertising. This now has to be activated or deactivated at installation, and users can reverse the choice at any time.
Over security concerns, Microsoft "has strengthened the robustness of the PIN code allowing users to authenticate to all company’s online services, and more specifically to their Microsoft account," notes CNIL: "too common PIN code combinations are now forbidden."
Microsoft has also addressed the other injunctions within the formal notice. It has inserted the information required under Article 32 of the French Data Protection Act; it has requested CNIL authorization for its processing of personal data; it has joined Privacy Shield; and it has ceased placing advertising cookies without obtaining users' consent.
"The Chair of the CNIL has considered that the company had complied with the French Data Protection Act and has therefore decided to proceed to the closing of the formal notice," says the CNIL announcement.
Given the size of the sanctions that will become available to CNIL when the GDPR comes into force in May 2018, it is probably a wise move by Microsoft to get compliance sorted now.