Dutch DPA: Microsoft breaches data protection law with Windows 10
Microsoft breaches the Dutch data protection law by processing personal data of people that use the Windows 10 operating system on their computers. This is the conclusion of the Dutch Data Protection Authority (DPA) after its investigation of Windows 10 Home and Pro. Microsoft does not clearly inform users about the type of data it uses, and for which purpose. Also, people cannot provide valid consent for the processing of their personal data, because of the approach used by Microsoft. The company does not clearly inform users that it continuously collects personal data about the usage of apps and web surfing behaviour through its web browser Edge, when the default settings are used. Microsoft has indicated that it wants to end all violations. If this is not the case, the Dutch DPA can decide to impose a sanction on Microsoft.
In the Netherlands over 4 million active devices use Windows 10 Home and Pro. Microsoft continuously collects technical performance and user data (e.g. which apps are installed and, if the user has not changed the default settings, how often apps are used, as well as data on web surfing behaviour) from these devices. These data are called ‘telemetry data’. With telemetry Microsoft – as it were – takes pictures of the behaviour of Windows users, and continuously sends these pictures to itself.
Due to Microsoft’s approach users lack control of their data. They are not informed which data are being used for what purpose, neither that based on these data, personalised advertisements and recommendations can be presented, if those users have not opted out from these default settings on installation or afterwards. “It turns out that Microsoft’s operating system follows about every step you take on your computer. That results in an intrusive profile of yourself”, according to Wilbert Tomesen, vice-chairman of the Dutch DPA. “What does that mean? Do people know about this, do they want this? Microsoft needs to give users a fair opportunity to decide about this themselves”.
Basic and full telemetry
Microsoft offers two levels of telemetry: basic and full. At the basic level limited data are processed about device usage . With full telemetry also detailed data on app usage are processed as well as data about web surfing behaviour through Edge and (parts of) the content of handwritten documents via an inkpad.
Microsoft processes data from both levels of telemetry in order to fix errors, to keep devices up-to-date and secure and to improve its own products and services. If users have not opted out for these purposes upon installation or afterwards, then Microsoft also uses data from both the basic and the full telemetry level to show personalised advertisements in Windows and Edge (including all apps for sale in the Windows store)and is the Advertising ID used to show personalised advertisements in other apps.
Microsoft offers users an overview of the categories of data that it collects through basic telemetry, but only informs people in a general way, with examples, about the categories of personal data it collects through full telemetry. The way Microsoft collects data at the full telemetry level is unpredictable. Microsoft can use the collected data for the various purposes, described in a very general way. Through this combination of purposes and the lack of transparency Microsoft cannot obtain a legal ground, such as consent, for the processing of data.
Consent; informed and unambiguous
Microsoft needs to obtain valid consent from users to process their personal data. Therefore, people must be well informed and need to know precisely to what they say yes. This is not the case. The information that Microsoft provides in the installation screen of the Creators Update about the different choices for data processing, falls short. It is not made sufficiently clear that at the full telemetry level, Microsoft continuously collects data about the usage of apps and web surfing behaviour through Edge, including for example news articles that have been read and locations entered into apps.
Through the chosen approach Microsoft also does not obtain unambiguous consent. Microsoft uses opt-out options. On installation the telemetry level is set to full by default and the user is asked to accept the offered settings. Also, it is switched on by default that Microsoft may use the telemetry data to show personalised advertisements and recommendations in Windows and Edge, and that app developers may show personalised ads in apps. If a person does not actively change the default settings during installation, it does not mean he or she thereby gives consent for the use of his or her personal data. Additionally, the Dutch DPA has established that Microsoft has not respected existing privacy choices from some users when they upgraded to the Creators Update. This applies to the people who downloaded the operating system themselves. If they had previously selected basic telemetry in a prior Windows version and did not actively change the privacy settings upon installation of the Creators Update, the settings were switched to full telemetry level.