Microsoft updates data protection policy after being threatened with a fine

Microsoft has updated the way Windows 10 collects users’ personal information, following a complaint from France’s National Data Protection Commission (CNIL).

When users select the ‘Basic’ telemetry setting, the OS now ensures users either opt in or out of a setting that allows an advertising ID to track web-browsing in order to produce personalized adverts. Windows 10 also tightens the security of its four-digit PIN system that allows users to access Microsoft’s online services.

French authorities threatened penalties

The changes come in response to the threat of a fine from the CNI. Last year, the CNIL issued a formal notice against Microsoft, stating that Windows 10 violated France’s data protection laws.

The CNIL’s notice made specific reference to the way the operating system tracks web browsing and to its PIN system’s lack of security, but also criticized the collection of irrelevant or excessive data, the lack of an option to block cookies, and the fact that data is still being transferred outside the EU on a ‘safe harbor’ basis – the agreement having been deemed invalid by the Court of Justice of the European Union in 2015.

Microsoft asked the CNIL for time to change the way Windows 10 collects data, and was initially given three months. In November 2016, the company asked for more time, and has now come good on its promise. The CNIL announced last month that Windows 10 now complies with France’s data protection laws, and as such, it is dropping its threat of a fine.

Prepare for the GDPR

Microsoft was able to adjust the way it collects users’ data in order to comply with current data protection laws, but with the EU General Data Protection Regulation (GDPR) taking effect next year, it may have to make further changes.

The GDPR introduces much stricter rules for companies processing EU residents’ personal data, and imposes tougher penalties for non-compliance. Any company found to be in breach of the Regulation can expect a fine of up to 4% of annual global turnover or €20 million ($22.8 million), whichever is greater

If your organization processes EU residents’ personal data, it’s paramount that you comply with the GDPR. We can help you better understand the Regulation and how you can prepare for it with our online and distance learning courses. Our next courses are:

If you book these courses together,
you’ll receive a $400 discount and 20% off our
GDPR toolkit.