Windows 10

France Says That Windows 10 Violates Personal Privacy Laws

France Says That Windows 10 Violates Personal Privacy Laws

France’s CNIL, which is tasked with protecting personal data and preserving individual liberties, this week accused Microsoft of violating the French Data Protection Act by using Windows 10 to “collect excessive user data without their consent.” Quelle horreur!

“The CNIL found that [Microsoft is] collecting diagnostic and usage data via its telemetry service, which uses such data, among other things, to identify problems and to improve products,” the CNIL explains. “To this purpose, Microsoft Corporation processes, for instance, Windows app and Windows Store usage data, providing information, among other things, on all the apps downloaded and installed on the system by a user and the time spent on each one. Therefore, the company is collecting excessive data, as these data are not necessary for the operation of the service.”

The CNIL further asserts that Windows 10 violates the French Data Protection Act by:

Sponsored Content

Maximize Value from Microsoft Defender

In this ebook, you’ll learn why Red Canary’s platform and expertise bring you the highest possible value from your Microsoft Defender for Endpoint investment, deployment, or migration.

… not seeking individual consent. Windows 10 and various installed apps monitor user browsing and offer targeted advertising without obtaining users’ consent.

… being insecure. By letting users choose a four-digit PIN to authenticate themselves, Microsoft is opening up users to theft of their payment instruments. “The number of attempts to enter the PIN is not limited, which means that user data is not secure or confidential,” the CNIL says.

… offering no option to block tracking cookies. The CNIL charges that Microsoft “puts advertising cookies on users’ PCs without properly informing them of this in advance or enabling them to oppose this.”

… inappropriately using out-of-date EU “safe harbor” rules to transfer personal data to the U.S. Microsoft is transferring users’ personal data to the United States, but this is illegal given a decision issued by the Court of Justice of the European Union in October 2015, the CNIL says.

The CNIL has given Microsoft three months to reply to these accusations and to change Windows 10 and its policies to conform with French law. Should Microsoft not comply within the stated time, it will be officially sanctioned and could be fined up to 4 percent of its annual global revenues.

The CNIL has also alerted the software giant that other European Union member states are conducting similar investigations into Windows 10’s alleged privacy issues and could issue their own findings against the firm.

“The purpose of the notice is not to prohibit any advertising on the company’s services but, rather, to enable users to make their choice freely, having been properly informed of their rights,” the CNIL says. “It has been decided to make the formal notice public due to, among other reasons, the seriousness of the breaches and the number of individuals concerned (more than ten million Windows users on French territory).”

For its part, Microsoft says it will work to comply with French law.

“We will work closely with the CNIL over the next few months to understand the agency’s concerns fully and to work toward solutions that it will find acceptable,” Microsoft vice president and deputy general counsel David Heiner said.

Related Topics:


Don't have a login but want to join the conversation? Sign up for a Petri Account

Comments (0)

Leave a Reply

Paul Thurrott is an award-winning technology journalist and blogger with over 20 years of industry experience and the author of over 25 books. He is the News Director for the Petri IT Knowledgebase, the major domo at, and the co-host of three tech podcasts: Windows Weekly with Leo Laporte and Mary Jo Foley, What the Tech with Andrew Zarian, and First Ring Daily with Brad Sams. He was formerly the senior technology analyst at Windows IT Pro and the creator of the SuperSite for Windows.
External Sharing and Guest User Access in Microsoft 365 and Teams

This eBook will dive into policy considerations you need to make when creating and managing guest user access to your Teams network, as well as the different layers of guest access and the common challenges that accompany a more complicated Microsoft 365 infrastructure.

You will learn:

  • Who should be allowed to be invited as a guest?
  • What type of guests should be able to access files in SharePoint and OneDrive?
  • How should guests be offboarded?
  • How should you determine who has access to sensitive information in your environment?

Sponsored by: