France has formally demanded that Microsoft stops collecting private user data and tracking browsing habits. Should the corporation fail to fulfill the request within three months, it risks facing further sanctions and paying fines of up to €150,000 ($165,000).

On Wednesday the National Data Protection Commission (CNIL) issued a formal statement in which it said that Microsoft had three months to polish its privacy policy and bring it into compliance with the French data protection legislation.

Read more

“It has been decided to make the formal notice public due to, among other reasons, the seriousness of the breaches and the number of individuals concerned (more than ten million Windows users on French territory),” the CNIL said in a statement.

The issue of Microsoft infringing on users’ privacy was raised in France after the corporation launched its latest Windows 10 operating system a year ago. CNIL then began a series of online investigations which “revealed many failures” including the collection of “irrelevant or excessive (user) data.”

CNIL also claimed that Microsoft has been transferring user information from the EU overseas despite the fact that the so-called Safe Harbor agreement which allowed the transfer was declared “invalid” last October by the highest EU court.

If Microsoft fails to meet CNIL’s requirements the agency warned it would initiate a sanctions procedure which could result in a fine up to €150,000 ($165,000).

In the statement CNIL also criticized the use of targeted advertising in the Windows 10 operating system and its inability to block cookies.

“The company puts advertising cookies on users’ terminals without properly informing them of this in advance or enabling them to oppose this,” the statement said.

Read more

Moreover, the agency expressed dissatisfaction with the four-digit PIN numbers that users are requested to enter in order to gain access to Microsoft online services. CNIL questioned the safety of the procedure as the tech firm did not limit the number of attempts to type the correct code.

READ MORE: No ‘Safe Harbor’: Mixed reaction as top European court strikes down EU-US data-transfer agreement

Microsoft said that it is willing to cooperate with CNIL and will address the accusations.

“We built strong privacy protections into Windows 10, and we welcome feedback as we continually work to enhance those protections,” Microsoft vice president David Heiner said in a statement. Heiner said there were other legal mechanisms in addition to Safe Harbor that allowed Microsoft to move user data overseas.

Earlier this month the EU adopted the so-called Privacy Shield law designed to replace its predecessor Safe Harbor which the EU struck down last year over US surveillance concerns. The new deal defined the rules of how the sharing of information should be handled and granted greater guarantees to European customers to prevent US surveillance.