Privacy & Information Security Law Blog

On July 20, 2016, the French Data Protection Authority (“CNIL”) announced that it issued a formal notice to Microsoft Corporation (“Microsoft”) about Windows 10, ordering Microsoft to comply with the French Data Protection Act within three months.

Background

Following the launch of Microsoft’s new operation system, Windows 10, in July 2015, the CNIL was alerted by the media and political parties that Microsoft could collect excessive personal data via Windows 10. A group composed of several EU data protection authorities was created within the Article 29 Working Party to examine the issue and conduct investigations in their relevant EU Member States. The CNIL initiated its investigation and carried out seven online inspections in April and June 2016. The CNIL also questioned Microsoft on certain points of its privacy statement.

CNIL Formal Notice

In its formal notice, the CNIL found that Windows 10 showed several breaches of the French Data Protection Act as amended, including:

• Breach of the Data Proportionality Requirement. As a general rule, personal data must be appropriate, relevant and not excessive with respect to the purposes for which the data is collected and further processed (i.e., data proportionality). The CNIL found that Microsoft was collecting irrelevant or excessive telemetry data. According to Microsoft’s privacy statement, diagnostic and usage data are collected via Microsoft’s telemetry service, among other things, to identify troubleshooting problems and to improve Microsoft products and services. Users cannot deactivate the telemetry service but can opt to set their devices to the basic level of diagnostic and usage data. Such data is described as vital to the operation of Windows. The CNIL found that most of this data was not directly necessary for the system to operate and thus, Microsoft was collecting excessive personal data.
• Breach of the Notice Requirement. The French Data Protection Act requires data controllers to include minimum privacy language directly on the form used to collect information. Further, the French Implementing Decree requires data controllers to provide detailed information on international data transfers (including the types of the personal data transferred, the purpose(s) of the data transfer, etc.). The CNIL found that the form for creating a Microsoft account did not contain any privacy language and that Microsoft’s privacy statement did not provide all the information required about the data transfers.
• Breach of the Cookie Law Rules. Under the French Data Protection Act, users’ consent must be obtained before accessing or recording data in their devices. The CNIL found that Microsoft was generating a unique advertising ID that was activated by default when Windows 10 was installed, thereby allowing Windows app and third-party apps to monitor user browsing and provide targeted advertising without the user’s prior consent. The CNIL further found that 13 cookies (including advertising cookies) were placed on the user’s device when clicking on the link to Microsoft’s privacy statement. These cookies were placed without informing users in advance of (1) the purposes of the cookies, and (2) how to block them. Additionally, the CNIL also found that that Microsoft’s privacy statement was simply referring to browser settings to block cookies. Browser settings cannot be considered a valid mechanism to block cookies where the site places technical cookies that are essential for its operation and first-party cookies requiring users’ consent (as was the case here). The CNIL concluded that Microsoft was not complying with the cookie law requirements.
• Breach of the Data Security Requirement. The French Data Protection Act also requires data controllers to take all necessary measures to ensure the security of the personal data. The CNIL observed that Windows 10 users were prompted to create a PIN for their device to authenticate themselves for all Microsoft’s online services, including access to their email and Microsoft account, which lists store purchases and the payment options used. The CNIL further observed that the PIN code could be composed of four identical figures (e.g., “0000”) and the number of attempts to enter the PIN was unlimited. According to the CNIL, this implies that user data was not secure.
• Breach of the Registration Requirement. According to the French Data Protection Act, processing personal data for fraud prevention purposes requires the CNIL’s prior authorization. Microsoft’s privacy statement specifies that user data may be processed for these purposes. However, Microsoft did not file an authorization request for implementing the data processing, thereby infringing the French registration requirements.
• Breach of the Cross-Border Data Transfer Restrictions. Finally, since the invalidation by the Court of Justice of the European Union of the European Commission Decision on the Safe Harbor framework, data transfers based on that framework are unlawful. Microsoft’s privacy statement still refers to Microsoft’s Safe Harbor certification, which, according to the CNIL, constitutes a breach of the cross-border data transfer restrictions.

Next Steps

The CNIL ordered Microsoft to cease its non-compliance within three months. Failure to do so within the prescribed time limit may result in a fine of up to €150,000 (under the current regime) or up to €3 million (when the French ‘Digital Republic’ law amending the French Data Protection Act becomes effective - possibly in September or October 2016). Microsoft has already announced that it will release an updated privacy statement next month referring to the EU-U.S. Privacy Shield.