The French National Data Protection Commission (CNIL) has issued a formal warning to Microsoft for its data collection practices in Windows 10. The warning claims that the company is collecting excessive data which is not needed for the operation of its services.
CNIL began looking into the matter after receiving complaints from the media and political parties about the possibility of excessive data retention from Microsoft. The Commission then formed a group to investigate the matter, examining the issue in France and the rest of the European Union to see if Microsoft complied with the French Data Protection Act.
The investigation turned up several issues with Windows 10, Windows apps, and the Windows Store. It believes that that 4-digit PIN option for verification on the Windows Store is too weak to function as a security measure, as there is no limit to the number of times a person is allowed to input the wrong password.
Also problematic was that the platform does not request the consent of individuals to track their data. This data was also transmitted outside of the EU and sent back to the US for “safe harbour”. While it used to be common practice to store date in foreign countries for safety, the EU no longer allows it due to a ruling from the European Court of Justice.
The warning from CNIL does not guarantee legal action. Microsoft will be given a period of time to respond and update its practices to comply with the Data Protection Act. Failure to do so may result in an official investigation being opened, with a good chance of the company being dragged into legal proceedings.