windows 10 on a brick wall
Dutch authorities today accused Microsoft of breaching data privacy laws with its Windows 10 telemetry practices PHOTO: pixabay

The Dutch Data Protection Authority (DPA) has accused Microsoft of breaching Dutch law by harvesting data of those who use its Windows 10 operating system.

In a statement issued Oct. 13th, the DPA stated Redmond, Wash.-based Microsoft failed to inform Windows 10 Pro and Home users which data it collects.

Improper Windows 10 Data Processing

It also claims Microsoft makes it impossible for users to give their consent to the data being processed. Microsoft can use the data in so many ways, it makes it impossible for users to give, or take, permission in each individual use case. The statement adds:

“The company does not clearly inform users that it continuously collects personal data about the usage of apps and web surfing behavior through its web browser Edge, when the default settings are used. Microsoft has indicated that it wants to end all violations. If this is not the case, the Dutch DPA can decide to impose a sanction on Microsoft.”

Dutch Telemetry Problems

According to the DPA, Windows 10 Home and Pro is installed on four million active devices in the Netherlands. Microsoft processes telemetry data from these four million devices.

Telemetry data is data from automated communications processes by which measurements and other data can be gathered at remote or inaccessible points. In other words, the telemetry data enables Microsoft to monitor what apps are installed, whether the user has changed default settings, how and what apps are used as well as data on web surfing behavior.

“It turns out that Microsoft’s operating system follows about every step you take on your computer. That results in an intrusive profile of yourself,” Wilbert Tomesen, vice-chairman of the DPA said in the statement.

There are two different types of telemetry: basic and full.

  • Basic: Limited data processing about device usage
  • Full: involves harvesting app usage as well as data about web surfing behavior through Edge and (parts of) the content of handwritten documents via an inkpad.

Microsoft's Response to Dutch Charges

Microsoft issued a statement stating the telemetry is used to fix errors and update devices. But the company admitted to using it for other purposes too. 

“Microsoft also uses data from both the basic and the full telemetry level to show personalized advertisements in Windows and Edge (including all apps for sale in the Windows store) and is the Advertising ID used to show personalized advertisements in other apps.” The statement continued, “I want our customers to know that it is a priority for us that Windows 10 Home and Windows 10 Pro are clearly compliant under Dutch law.”

This isn't the first time Microsoft has faced a challenge to its Windows 10 data practices. In July 2016, the French data regulators ordered Microsoft to get compliant with French data protection measures and in November 2016, European privacy regulators also expressed concern about Windows 10.

The company is currently working with Swiss and French data protection authorities to address their recommendations in the ongoing development of Windows 10. “We’ve worked with Swiss and French data protection authorities to incorporate their guidance, subsequently improving the privacy controls in Windows 10 Home and Pro and earning their positive assessments of the changes,” according to the statement.

The improvements include the release of a new privacy dashboard and new privacy features and the promise of further improvements in the Fall Creators Update.

The company stated it wanted to work with the Dutch DPA to find "appropriate solutions" to the privacy issue, but that it had some concerns about the accuracy of some of the DPA findings.

EU Data Regulation Measures Ramp Up

Microsoft isn't alone under the privacy spotlight in Europe. On May 18, 2018 the General Data Protection Regulations (GDPR) come into force. Any U.S. tech firm operating in Europe will face stiff fines if found uncompliant.

For an example of the EU's determination to force these companies to heel, look no further than the recent Google fine. While not privacy related, it did pit one of the biggest tech companies in the world against the EU. In that case Google backed down.

We can expect to see more of these cases in the coming months.