Based on its investigation of Windows 10 Home and Windows 10 Pro, the Dutch Data Protection Authority has concluded that Microsoft is in violation ofDutch data protection law. Through these operating systems, Microsoft is processing personal data in a manner that is not compliant with the Dutch Data Protection Act (“DDPA”).
No informed consent due to lack of transparency
Microsoft continuously collects technical performance and user data through its operating system Windows 10. This data is referred to as ‘telemetry data’. Users can allow Microsoft to either collect basic telemetry data (which is limited) or full telemetry data.
With regards to the collection of full telemetry data, Microsoft is now in trouble. The investigation found that Microsoft provides insufficient information about both the categories of personal data it collects through full telemetry and the purposes for which such data is used. This lack of information makes it impossible for people to give their informed consent to the processing of their personal data. As such, their consent is not considered to be valid under the DDPA.
Opt-out instead of opt-in
Moreover, Microsoft does not always obtain unambiguous consent, because it uses an opt-out system: users have to actively change the privacy settings to prevent Microsoft from collecting full telemetry data. If users fail to do so for whatever reason, it does not constitute as valid, unambiguous consent as required under the DDPA. In addition, this approach of Microsoft is contrary to the principle of ‘
Warning, no sanctions (yet)
Microsoft has indicated to the Dutch Data Protection Authority that it wants to tackle the violations. Microsoft will now be given the opportunity to do so. However, should Microsoft fail to -sufficiently- remedy its violations, the Dutch Data Protection Authority may decide to impose a sanction.