France is once again targeting large US IT companies over data privacy. 

In February, Facebook fell foul of the French data commission. This week it was Microsoft and its Windows 10 operating system's turn in the spotlight.

In a notice issued Wednesday, the National Data Protection Commission (CNIL) ordered Microsoft to stop its practice of collecting and using Windows 10 user data to serve up targeted ads.

The CNIL also demanded that Microsoft take satisfactory measures to ensure the security and confidentiality of user data, as well as stop the transfer of personal data to the US. 

Which really calls into question what exactly Microsoft is doing with its data practices.

“Is Microsoft the evil empire? Of course not. But with power comes responsibility. In this case, it’s the responsibility to show France — and the world markets — that it’s taking appropriate safeguards for user privacy and data protection,” Rebecca Wettemann, vice president of research at Nucleus Research told CMSWire.

Microsoft Collected ‘Irrelevant, Excessive Data’

The CNIL demands follow an investigation into the Windows 10 operating system following its July 2015 release. Acting on concerns expressed by some media outlets and political parties, the CNIL carried out seven online observations in April and June 2016. It also questioned a number of Microsoft executives about data harvesting methods.

The objective, the CNIL wrote in the notice, was to verify that the methods and results complied with the French Data Protection Act. They didn’t under five different headings, including the accusation that Microsoft is collecting “irrelevant or excessive data.”

“The company was (sic) collecting diagnostic and usage data via its telemetry service, which uses such data, among other things, to identify problems and to improve products .… Microsoft Corporation processes, for instance, Windows app and Windows Store usage data, providing information, among other things, on all the apps downloaded and installed on the system by a user,” the notice reads.

Security, Consent, Cookies

The next three complaints could apply to just about any IT company operating online that harvests data to inform better customer experiences. They are:

Lack of security

With the introduction of Windows 10, Microsoft enabled users to sign into all of their services using a simple four-character PIN. While no complaints appear to be leveraged at that specific tactic, the notice does point out that no limits were placed on the number of attempts a user can make to get the right combination.

Lack of individual consent

The notice also called out the advertising ID that is automatically set up when a user installs Windows. This ID allowed Windows apps and other parties’ apps to monitor user browsing and to offer targeted advertising — all without obtaining users’ consent.


The CNIL says Microsoft puts cookies on users’ terminals without properly advance notice.

Rebuilding Safe Harbour

The fifth and last complaint is by far the most significant for cross-Atlantic online commerce. According to the CNIL, Microsoft is still transferring data belonging to account holders to the US in the same way it did before the Safe Habour agreement was struck down at the beginning of October last year.

Following the ruling, no guidance has been provided on how to operate for Microsoft or other US and European companies doing transatlantic business, which has left many operating in a vacuum.

That is expected to change soon, with the European Commission's adoption of the US-EU Privacy Shield last week, which provides legal cover for transatlantic data transfers.

Learning Opportunities

This in the same week that a federal US court overturned an order by a lower court in New York State instructing Microsoft to provide access to a customer’s data stored in Ireland.

Shifting Transatlantic Data Rules

The EU-US Privacy Shield sets out principles that enable US companies to receive and transfer some personal data from EU entities into the US. It comes into force on Aug. 1.

It should be noted, however, that the CNIL notice is just that, a notice, and as of now, looks as if no further action will be taken.

“The purpose of the notice is not to prohibit any advertising on the company’s services but, rather, to enable users to make their choice freely, having been properly informed of their rights,” the notice reads.

“It has been decided to make the formal notice public due to, among other reasons, the seriousness of the breaches and the number of individuals concerned (more than ten million Windows users on French territory).”

Dave Heiner, vice president and deputy general counsel for Microsoft, in a statement said the company would work closely with the CNIL over the next few months to understand its concerns fully and "to work toward solutions that it will find acceptable."

The statement added that Microsoft relies on a variety of legal mechanisms for transferring data from Europe to the US, including standard contractual clauses.

Understand the Law of the Land

But the notice points to a wider problem, notably the interaction between US companies and European governments. It’s not the first time the French government has gone after a US company (Facebook, Google for example) about privacy concerns, and Nucleus Research’s Wetteman points out that US companies need to be aware of the environments they are operating in.

“Part of international trade — even where the internet is concerned — means complying with local privacy laws if you want to do business there. The French have a long history of protecting the personal rights of its citizens, including their privacy," Wettemann said.

“Although this could be seen as a French effort to keep Microsoft and other US capitalists from overrunning French culture, what it does is raise legitimate concerns about the way data is collected that all citizens — not just French ones — should be concerned about.”