On July 20, 2016, the French Data Protection Authority (“CNIL”) announced that it issued a formal notice to Microsoft Corporation (“Microsoft”) about Windows 10, ordering Microsoft to comply with the French Data Protection Act within three months.
Background
Following the launch of Microsoft’s new operation system, Windows 10, in July 2015, the CNIL was alerted by the media and political parties that Microsoft could collect excessive personal data via Windows 10. A group composed of several EU data protection authorities was created within the Article 29 Working Party to examine the issue and conduct investigations in their relevant EU Member States. The CNIL initiated its investigation and carried out seven online inspections in April and June 2016. The CNIL also questioned Microsoft on certain points of its privacy statement.
CNIL Formal Notice
In its formal notice, the CNIL found that Windows 10 showed several breaches of the French Data Protection Act as amended, including:
- Breach of the Data Proportionality Requirement. As a general rule, personal data must be appropriate, relevant and not excessive with respect to the purposes for which the data is collected and further processed (i.e., data proportionality). The CNIL found that Microsoft was collecting irrelevant or excessive telemetry data. According to Microsoft’s privacy statement, diagnostic and usage data are collected via Microsoft’s telemetry service, among other things, to identify troubleshooting problems and to improve Microsoft products and services. Users cannot deactivate the telemetry service but can opt to set their devices to the basic level of diagnostic and usage data. Such data is described as vital to the operation of Windows. The CNIL found that most of this data was not directly necessary for the system to operate and thus, Microsoft was collecting excessive personal data.
- Breach of the Notice Requirement. The French Data Protection Act requires data controllers to include minimum privacy language directly on the form used to collect information. Further, the French Implementing Decree requires data controllers to provide detailed information on international data transfers (including the types of the personal data transferred, the purpose(s) of the data transfer, etc.). The CNIL found that the form for creating a Microsoft account did not contain any privacy language and that Microsoft’s privacy statement did not provide all the information required about the data transfers.
- Breach of the Cookie Law Rules. Under the French Data Protection Act, users’ consent must be obtained before accessing or recording data in their devices. The CNIL found that Microsoft was generating a unique advertising ID that was activated by default when Windows 10 was installed, thereby allowing Windows app and third-party apps to monitor user browsing and provide targeted advertising without the user’s prior consent. The CNIL further found that 13 cookies (including advertising cookies) were placed on the user’s device when clicking on the link to Microsoft’s privacy statement. These cookies were placed without informing users in advance of (1) the purposes of the cookies, and (2) how to block them. Additionally, the CNIL also found that that Microsoft’s privacy statement was simply referring to browser settings to block cookies. Browser settings cannot be considered a valid mechanism to block cookies where the site places technical cookies that are essential for its operation and first-party cookies requiring users’ consent (as was the case here). The CNIL concluded that Microsoft was not complying with the cookie law requirements.
- Breach of the Data Security Requirement. The French Data Protection Act also requires data controllers to take all necessary measures to ensure the security of the personal data. The CNIL observed that Windows 10 users were prompted to create a PIN for their device to authenticate themselves for all Microsoft’s online services, including access to their email and Microsoft account, which lists store purchases and the payment options used. The CNIL further observed that the PIN code could be composed of four identical figures (e.g., “0000”) and the number of attempts to enter the PIN was unlimited. According to the CNIL, this implies that user data was not secure.
- Breach of the Registration Requirement. According to the French Data Protection Act, processing personal data for fraud prevention purposes requires the CNIL’s prior authorization. Microsoft’s privacy statement specifies that user data may be processed for these purposes. However, Microsoft did not file an authorization request for implementing the data processing, thereby infringing the French registration requirements.
- Breach of the Cross-Border Data Transfer Restrictions. Finally, since the invalidation by the Court of Justice of the European Union of the European Commission Decision on the Safe Harbor framework, data transfers based on that framework are unlawful. Microsoft’s privacy statement still refers to Microsoft’s Safe Harbor certification, which, according to the CNIL, constitutes a breach of the cross-border data transfer restrictions.
Next Steps
The CNIL ordered Microsoft to cease its non-compliance within three months. Failure to do so within the prescribed time limit may result in a fine of up to €150,000 (under the current regime) or up to €3 million (when the French ‘Digital Republic’ law amending the French Data Protection Act becomes effective - possibly in September or October 2016). Microsoft has already announced that it will release an updated privacy statement next month referring to the EU-U.S. Privacy Shield.
Search
Recent Posts
Categories
- Behavioral Advertising
- Centre for Information Policy Leadership
- Children’s Privacy
- Cyber Insurance
- Cybersecurity
- Enforcement
- European Union
- Events
- FCRA
- Financial Privacy
- General
- Health Privacy
- Identity Theft
- Information Security
- International
- Marketing
- Multimedia Resources
- Online Privacy
- Security Breach
- U.S. Federal Law
- U.S. State Law
- Workplace Privacy
Tags
- Aaron Simpson
- Accountability
- Adequacy
- Advertisement
- Advertising
- American Privacy Rights Act
- Anna Pateraki
- Anonymization
- Anti-terrorism
- APEC
- Apple Inc.
- Argentina
- Arkansas
- Article 29 Working Party
- Artificial Intelligence
- Australia
- Austria
- Automated Decisionmaking
- Baltimore
- Bankruptcy
- Belgium
- Biden Administration
- Big Data
- Binding Corporate Rules
- Biometric Data
- Blockchain
- Bojana Bellamy
- Brazil
- Brexit
- British Columbia
- Brittany Bacon
- Brussels
- Business Associate Agreement
- BYOD
- California
- CAN-SPAM
- Canada
- Cayman Islands
- CCPA
- CCTV
- Chile
- China
- Chinese Taipei
- Christopher Graham
- CIPA
- Class Action
- Clinical Trial
- Cloud
- Cloud Computing
- CNIL
- Colombia
- Colorado
- Committee on Foreign Investment in the United States
- Commodity Futures Trading Commission
- Compliance
- Computer Fraud and Abuse Act
- Congress
- Connecticut
- Consent
- Consent Order
- Consumer Protection
- Cookies
- COPPA
- Coronavirus/COVID-19
- Council of Europe
- Council of the European Union
- Court of Justice of the European Union
- CPPA
- CPRA
- Credit Monitoring
- Credit Report
- Criminal Law
- Critical Infrastructure
- Croatia
- Cross-Border Data Flow
- Cyber Attack
- Cybersecurity
- Cybersecurity and Infrastructure Security Agency
- Data Brokers
- Data Controller
- Data Localization
- Data Privacy Framework
- Data Processor
- Data Protection Act
- Data Protection Authority
- Data Protection Impact Assessment
- Data Transfer
- David Dumont
- David Vladeck
- Delaware
- Denmark
- Department of Commerce
- Department of Health and Human Services
- Department of Homeland Security
- Department of Justice
- Department of the Treasury
- District of Columbia
- Do Not Call
- Do Not Track
- Dobbs
- Dodd-Frank Act
- DPIA
- E-Privacy
- E-Privacy Directive
- Ecuador
- Ed Tech
- Edith Ramirez
- Electronic Communications Privacy Act
- Electronic Privacy Information Center
- Elizabeth Denham
- Employee Monitoring
- Encryption
- ENISA
- EU Data Protection Directive
- EU Member States
- European Commission
- European Data Protection Board
- European Data Protection Supervisor
- European Parliament
- Facial Recognition Technology
- FACTA
- Fair Credit Reporting Act
- Fair Information Practice Principles
- Federal Aviation Administration
- Federal Bureau of Investigation
- Federal Communications Commission
- Federal Data Protection Act
- Federal Trade Commission
- FERC
- FinTech
- Florida
- Food and Drug Administration
- Foreign Intelligence Surveillance Act
- France
- Franchise
- Fred Cate
- Freedom of Information Act
- Freedom of Speech
- Fundamental Rights
- GDPR
- Geofencing
- Geolocation
- Georgia
- Germany
- Global Privacy Assembly
- Global Privacy Enforcement Network
- Gramm Leach Bliley Act
- Hacker
- Hawaii
- Health Data
- Health Information
- HIPAA
- HIPPA
- HITECH Act
- Hong Kong
- House of Representatives
- Hungary
- Illinois
- India
- Indiana
- Indonesia
- Information Commissioners Office
- Information Sharing
- Insurance Provider
- Internal Revenue Service
- International Association of Privacy Professionals
- International Commissioners Office
- Internet
- Internet of Things
- Iowa
- IP Address
- Ireland
- Israel
- Italy
- Jacob Kohnstamm
- Japan
- Jason Beach
- Jay Rockefeller
- Jenna Rode
- Jennifer Stoddart
- Jersey
- Jessica Rich
- John Delionado
- John Edwards
- Kentucky
- Korea
- Latin America
- Laura Leonard
- Law Enforcement
- Lawrence Strickling
- Legislation
- Liability
- Lisa Sotto
- Litigation
- Location-Based Services
- London
- Madrid Resolution
- Maine
- Malaysia
- Markus Heyder
- Maryland
- Massachusetts
- Meta
- Mexico
- Microsoft
- Minnesota
- Mobile App
- Mobile Device
- Montana
- Morocco
- MySpace
- Natascha Gerlach
- National Institute of Standards and Technology
- National Labor Relations Board
- National Science and Technology Council
- National Security
- National Security Agency
- National Telecommunications and Information Administration
- Nebraska
- NEDPA
- Netherlands
- Nevada
- New Hampshire
- New Jersey
- New Mexico
- New York
- New Zealand
- Nigeria
- Ninth Circuit
- North Carolina
- Norway
- Obama Administration
- OECD
- Office for Civil Rights
- Office of Foreign Assets Control
- Ohio
- Oklahoma
- Opt-In Consent
- Oregon
- Outsourcing
- Pakistan
- Parental Consent
- Payment Card
- PCI DSS
- Penalty
- Pennsylvania
- Personal Data
- Personal Health Information
- Personal Information
- Personally Identifiable Information
- Peru
- Philippines
- Phyllis Marcus
- Poland
- PRISM
- Privacy By Design
- Privacy Policy
- Privacy Rights
- Privacy Rule
- Privacy Shield
- Protected Health Information
- Ransomware
- Record Retention
- Red Flags Rule
- Regulation
- Rhode Island
- Richard Thomas
- Right to Be Forgotten
- Right to Privacy
- Risk-Based Approach
- Rosemary Jay
- Russia
- Safe Harbor
- Sanctions
- Schrems
- Scott H. Kimpel
- Scott Kimpel
- Securities and Exchange Commission
- Security Rule
- Senate
- Serbia
- Service Provider
- Singapore
- Smart Grid
- Smart Metering
- Social Media
- Social Security Number
- South Africa
- South Carolina
- South Dakota
- South Korea
- Spain
- Spyware
- Standard Contractual Clauses
- State Attorneys General
- Steven Haas
- Stick With Security Series
- Stored Communications Act
- Student Data
- Supreme Court
- Surveillance
- Sweden
- Switzerland
- Taiwan
- Targeted Advertising
- Telecommunications
- Telemarketing
- Telephone Consumer Protection Act
- Tennessee
- Terry McAuliffe
- Texas
- Text Message
- Thailand
- Transparency
- Transportation Security Administration
- Trump Administration
- United Arab Emirates
- United Kingdom
- United States
- Unmanned Aircraft Systems
- Uruguay
- Utah
- Vermont
- Video Privacy Protection Act
- Video Surveillance
- Virginia
- Viviane Reding
- Washington
- Whistleblowing
- Wireless Network
- Wiretap
- ZIP Code