Dutch data regulator warns Windows 10 still breaches user privacy

Unlawful data collection practices found despite company changes

The Dutch data protection regulator has accused Microsoft of remotely collecting data from Windows Pro and Windows 10 Home users in what could constitute yet another breach of EU data law.

The agency was testing changes to the company's data collection policies, introduced by Microsoft last year, when it discovered that diagnostic and non-diagnostic data was still being collected.

"A follow-up check by the Dutch DPA has shown that the changes have led to concrete improvements," the DPA said in a statement supplied to IT Pro. "Microsoft has complied with the agreements made. However, the check also brought to light that Microsoft is remotely collecting other data from users. As a result, Microsoft is still potentially in breach of privacy rules."

Details of the data collection have been passed over to the Irish Data Protection Commission, the local authority to Microsoft's EU headquarters.

Advertisement - Article continues below

The Dutch authority was the first to raise concerns about Microsoft's data collection habits, concluding in 2017 that the way Windows 10 operates was in breach of its local data laws. It found that Microsoft was collecting large volumes of application usage data, such as dwell time, how the user interacted with the app, and how often they are active, as well as data that tracked what sites were visited on its Edge browser.

Microsoft eventually agreed to make changes to its policy in April 2018, a month before GDPR came into force. It's those changes that the Dutch data regulator is now questioning, only this time data laws are now standardised across the bloc and present a much tougher front for Microsoft to contend with.

Microsoft said it will continue to work with the Irish authority to address any further concerns related to data privacy.

"Microsoft is committed to protecting our customers' privacy and putting them in control of their information," a statement to TechCrunch read. "Over recent years, in close coordination with the Dutch data protection authority, we have introduced a number of new privacy features to provide clear privacy choices and easy-to-use tools for our individual and small business users of Windows 10."

"We welcome the opportunity to improve even more the tools and choices we offer to these end users."

This is not the first time Microsoft has been warned about its data policies since the introduction of GDPR. In November 2018, the Dutch data authority urged users to ditch Office 365 and Windows Enterprise after it discovered eight high-risk collection practices, including the unlawful storage of sensitive data considered sensitive under GDPR, and keeping data beyond the allowed timeframe.

Following that incident, Microsoft agreed to adapt its products to comply with Dutch laws and GDPR, and agreed to supply regular reports on its progress.

Featured Resources

The IT Pro guide to Windows 10 migration

Everything you need to know for a successful transition

Download now

Managing security risk and compliance in a challenging landscape

How key technology partners grow with your organisation

Download now

Software-defined storage for dummies

Control storage costs, eliminate storage bottlenecks and solve storage management challenges

Download now

6 best practices for escaping ransomware

A complete guide to tackling ransomware attacks

Download now



Arcserve UDP 9240DR review: Beef up your backups

4 Apr 2019

Most Popular

identity and access management (IAM)

44 million Microsoft customers found using compromised passwords

6 Dec 2019

Five signs that it’s time to retire IT kit

29 Nov 2019
Microsoft Azure

Microsoft, not Amazon, is going to win the cloud wars

30 Nov 2019
Microsoft Windows

This exploit could give users free Windows 7 updates beyond 2020

9 Dec 2019