Updated A French regulator has issued Microsoft a formal warning over Windows 10, saying the operating system collects excessive amounts of personal data, ships that information illegally out of the EU, and has lousy security.

The warning comes from the Commission Nationale de l'Informatique et des Libertés (CNIL), an independent data privacy watchdog with the power to levy fines against companies. The CNIL has been investigating Windows 10 since its launch and has now drawn up a damning list of criticisms.

"The CNIL has decided to issue a formal notice to Microsoft Corporation to comply with the Act within three months," said the group on Wednesday.

"The purpose of the notice is not to prohibit any advertising on the company's services but, rather, to enable users to make their choice freely, having been properly informed of their rights. It has been decided to make the formal notice public due to, among other reasons, the seriousness of the breaches and the number of individuals concerned."

Chief among the regulator's concerns is the amount of information Windows 10 slurps up about its users and sends back to Microsoft's servers. While all recent flavors of Windows send some information back to Redmond, Windows 10 harvests much more and the CNIL considers this intrusive and also not needed to run the OS.

It could also be breaking the law. The collapse of the Safe Harbor agreement last year didn't stop this flow of data from French users back to the US, and the CNIL is concerned that Microsoft made no attempt to comply with the law. The watchdog estimates that there are at least 10 million Windows users in the Euro nation.

Enabling this data collection by default is unfair to users, the CNIL opines, and it complains there is very little information from Microsoft on how to limit the amount of data the operating system collects.

Finally the agency excoriates Windows 10 for its poor security. People can use a four-digit pin to log in and purchase apps, and the CNIL notes that there's no limit to the number of times a PIN can be tried. This means that the account is not "secure or confidential," although there are other ways to lock down an account.

Microsoft has three months to come up with proposals for changes to its software that will satisfy the CNIL – although no one at Redmond is going to be too worried. The French bureaucrats move slowly and failure to comply will merely trigger the possibility of an internal investigator being hired to dig deeper into the operating system. The CNIL ultimately has the power to fine organizations if laws are broken, though. ®

Updated to add

"We built strong privacy protections into Windows 10, and we welcome feedback as we continually work to enhance those protections," David Heiner, deputy general counsel at Microsoft, told El Reg this afternoon.

"We will work closely with the CNIL over the next few months to understand the agency’s concerns fully and to work toward solutions that it will find acceptable."

Heiner said Microsoft was a strong advocate of the Safe Harbor rules and had worked hard to set up the Privacy Shield replacement scheme for transatlantic data traffic. In the meantime it had adhered to the old Safe Harbor rules despite the agreement being struck down.

"Microsoft will release an updated privacy statement next month, and that will say Microsoft intends to adopt the Privacy Shield. We are working now toward meeting the requirements of the Privacy Shield," he added.