Dutch privacy regulator says Windows 10 breaks the law
Regulator says Microsoft doesn’t offer enough information to enable informed consent.
ARS STAFF – 10/13/2017, 8:45 PM
The lack of clear information about what Microsoft does with the data that Windows 10 collects prevents consumers from giving their informed consent, says the Dutch Data Protection Authority (DPA). As such, the regulator says that the operating system is breaking the law.
To comply with the law, the DPA says that Microsoft needs to get valid user consent: this means the company must be clearer about what data is collected and how that data is processed. The regulator also complains that the Windows 10 Creators Update doesn’t always respect previously chosen settings about data collection. In the Creators Update, Microsoft introduced new, clearer wording about the data collection—though this language still wasn’t explicit about what was collected and why—and it forced everyone to re-assert their privacy choices through a new settings page. In some situations, though, that page defaulted to the standard Windows options rather than defaulting to the settings previously chosen.
In the Creators Update, Microsoft also explicitly enumerated all the data collected in Windows 10’s “Basic” telemetry setting. However, the company has not done so for the “Full” option, and the Full option remains the default.
The Windows 10 privacy options continue to be a work in progress for Microsoft. The Fall Creators Update, due for release on October 17, makes further changes to the way the operating system and applications collect data and the consent required to do so. Microsoft says that it will work with the DPA to “find appropriate solutions” to ensure that Windows 10 complies with the law. However, in its detailed response to the DPA’s findings, Microsoft disagrees with some of the DPA’s objections. In particular, the company claims that its disclosure surrounding the Full telemetry setting—both in terms of what it collects and why—is sufficient and that users are capable of making informed decisions.
The DPA’s complaint doesn’t call for Microsoft to offer a complete opt out of the telemetry and data collection, instead focusing on ensuring that Windows 10 users know what the operating system and Microsoft are doing with their data. The regulator says that Microsoft wants to “end all violations,” but if the software company fails to do so, it faces sanctions.