The Art. 29 Working Party still has concerns about the Data Protection standards of Windows 10 and the personal data which is collected. In a letter, they state that Microsoft's settings do not comply with certain Data Protection principles.
A letter from the Data Privacy Regulator
A year ago, the concerns were already raised in a letter sent by the Art. 29 Working Party to Microsoft. The reasons for the concerns are mainly the amount of personal information Microsoft collects with the Windows 10 system.
Microsoft has been criticized regarding use of Windows 10 especially because of the use of default settings to harvest large amounts of user-data, such as web browsing history and wi-fi network names and passwords, techcrunch reports.
But European regulators are not only concerned with the amount of data, but also with the fact that users are not fully informed about the data collection and that they don’t have control over their data.
New settings for Windows 10
After that letter sent out a year ago, Microsoft decided to implement a new settings menu, cio reports. However, the Art. 29 Working Party is still not happy with the outcome – the information the user receives is still not enough for them. The group now asked for more explanation of Microsoft’s processing of personal data in a letter to Microsoft CEO Satya Nadella and company privacy czar Brendon Lynch:
The Working Party has significant concerns with some of the personal data collected and further processed by Microsoft within the Windows 10 operating system and specifically the default settings or apparent lack of control for a user to prevent collection or further processing of such data.
As a result the Working Party specifically requests further explanatory information from Microsoft, as data controller for this personal data, as to how the opt-outs, default settings and other available control mechanisms presented during the installation of Windows 10 operating system provide a valid legal basis for the processing of personal data under the Data Protection Directive 95/46/EC.
This is especially of concern where Microsoft would rely on consent as a legal basis for the processing of personal data. The Working Party has previously published Opinion 15/2011 on the definition of consent which highlights that for consent to be considered valid it must be fully informed, freely given and specific.
Microsoft gives statement
Microsoft states that they want to and will
“continue to cooperate with the Working Party and national data-protection agencies.”
The company launched a web-based privacy dashboard for Microsoft account users to review and amend privacy settings for different Microsoft services, including location, search, browsing, and Cortana Notebook. This shall reflect their commitment to personal data protection.
However, the European Data Protection Regulator still has not decided whether those changes are enough to comply with European Data Protection requirements.