Dutch data regulator warns Windows 10 still breaches user privacy

Unlawful data collection practices found despite company changes

The Dutch data protection regulator has accused Microsoft of remotely collecting data from Windows Pro and Windows 10 Home users in what could constitute yet another breach of EU data law.

The agency was testing changes to the company's data collection policies, introduced by Microsoft last year, when it discovered that diagnostic and non-diagnostic data was still being collected.

"A follow-up check by the Dutch DPA has shown that the changes have led to concrete improvements," the DPA said in a statement supplied to IT Pro. "Microsoft has complied with the agreements made. However, the check also brought to light that Microsoft is remotely collecting other data from users. As a result, Microsoft is still potentially in breach of privacy rules."

Details of the data collection have been passed over to the Irish Data Protection Commission, the local authority to Microsoft's EU headquarters.

The Dutch authority was the first to raise concerns about Microsoft's data collection habits, concluding in 2017 that the way Windows 10 operates was in breach of its local data laws. It found that Microsoft was collecting large volumes of application usage data, such as dwell time, how the user interacted with the app, and how often they are active, as well as data that tracked what sites were visited on its Edge browser.

Microsoft eventually agreed to make changes to its policy in April 2018, a month before GDPR came into force. It's those changes that the Dutch data regulator is now questioning, only this time data laws are now standardised across the bloc and present a much tougher front for Microsoft to contend with.

Microsoft said it will continue to work with the Irish authority to address any further concerns related to data privacy.

"Microsoft is committed to protecting our customers' privacy and putting them in control of their information," a statement to TechCrunch read. "Over recent years, in close coordination with the Dutch data protection authority, we have introduced a number of new privacy features to provide clear privacy choices and easy-to-use tools for our individual and small business users of Windows 10."

"We welcome the opportunity to improve even more the tools and choices we offer to these end users."

This is not the first time Microsoft has been warned about its data policies since the introduction of GDPR. In November 2018, the Dutch data authority urged users to ditch Office 365 and Windows Enterprise after it discovered eight high-risk collection practices, including the unlawful storage of sensitive data considered sensitive under GDPR, and keeping data beyond the allowed timeframe.

Following that incident, Microsoft agreed to adapt its products to comply with Dutch laws and GDPR, and agreed to supply regular reports on its progress.

Featured Resources

Preparing for AI-enabled cyber attacks

MIT technology review insights

Download now

Cloud storage performance analysis

Storage performance and value of the IONOS cloud Compute Engine

Download now

The Forrester Wave: Top security analytics platforms

The 11 providers that matter most and how they stack up

Download now

Harness data to reinvent your organisation

Build a data strategy for the next wave of cloud innovation

Download now

Most Popular

UK gov considers blocking Nvidia's takeover of Arm
Acquisition

UK gov considers blocking Nvidia's takeover of Arm

4 Aug 2021
RMIT to be first Australian university to implement AWS supercomputing facility
high-performance computing (HPC)

RMIT to be first Australian university to implement AWS supercomputing facility

28 Jul 2021
Tesla Megapack goes up in flames at Australian battery site
Hardware

Tesla Megapack goes up in flames at Australian battery site

30 Jul 2021