The Dutch data protection authority has concluded that Microsoft’s Windows 10 operating system breaches local privacy law on account of its collection of telemetry metadata. The OS has been available since the end of July 2015.

Personal data being harvested by default by Microsoft can include the URL of every website visited if the Windows 10 user is browsing the web with Microsoft’s Edge browser (and has not opted out of full telemetry), as well as data about usage of all installed apps on their device — including frequency of use; how often apps are active; and the amount of seconds usage of mouse, keyboard, pen or touchscreen.

Microsoft says it gathers and processes Windows 10 users’ data in order to fix errors, keep devices up-to-date and secure and improve its own products and services.

But if users have not opted out it also uses data from both a basic and full telemetry level to show personalised advertisements in Windows and Edge (including all apps for sale in the Windows store), and also for showing personalised advertisements in other apps.

According to the local DPA there are more than 4 million active devices using Windows 10 Home and Pro in the Netherlands.

No valid consent

After investigating several versions of the OS (including Windows 10 Home and Pro), the Dutch DPA said today it has identified multiple breaches of data protection law.

“Microsoft does not clearly inform users about the type of data it uses, and for which purpose. Also, people cannot provide valid consent for the processing of their personal data, because of the approach used by Microsoft. The company does not clearly inform users that it continuously collects personal data about the usage of apps and web surfing behaviour through its web browser Edge, when the default settings are used,” it writes.

“Due to Microsoft’s approach users lack control of their data. They are not informed which data are being used for what purpose, neither that based on these data, personalised advertisements and recommendations can be presented, if those users have not opted out from these default settings on installation or afterwards.”

“Microsoft offers users an overview of the categories of data that it collects through basic telemetry, but only informs people in a general way, with examples, about the categories of personal data it collects through full telemetry. The way Microsoft collects data at the full telemetry level is unpredictable. Microsoft can use the collected data for the various purposes, described in a very general way. Through this combination of purposes and the lack of transparency Microsoft cannot obtain a legal ground, such as consent, for the processing of data,” it further writes.

“It turns out that Microsoft’s operating system follows about every step you take on your computer. That results in an intrusive profile of yourself,” adds Wilbert Tomesen, vice-chairman of the Dutch DPA, in a statement. “What does that mean? Do people know about this, do they want this? Microsoft needs to give users a fair opportunity to decide about this themselves.”

The DPA goes on to state that: “Microsoft has indicated that it wants to end all violations,” and notes that “if this is not the case” it can decide to impose a sanction on the company — which could take the form of a financial penalty.

The company has already faced the threat of such a penalty in France, when in July 2016 the local watchdog CNIL gave it three months to fix privacy and security issues to come into compliance with French data protection law.

European data protection watchdogs have had privacy worries about Windows 10 as far back as 2016, after the press and others raised concerns about the extent of the data being gathered by default on Windows 10 soon after its launch.

Microsoft has made some privacy-related changes to the OS in light of the criticisms — adding a new privacy settings structure in the Windows 10 Creators Update, for instance.

However the Dutch DPA’s view is that that update has not ended the violations it found in its investigation.

In a blog post commenting on the Dutch DPA’s findings today, Microsoft said: “I want our customers to know that it is a priority for us that Windows 10 Home and Windows 10 Pro are clearly compliant under Dutch law.”

It goes on to flag up various privacy-related changes it has made or is intending to make, writing: “This year we have released a new privacy dashboard and several new privacy features to provide clear choices to our customers and easy-to-use tools in Windows 10. Next week, we have even more privacy improvements coming in the Fall Creators Update.”

“We welcome the opportunity to continue to work with the Dutch DPA on their comments related to Windows 10 Home and Pro, and we will continue to cooperate with the DPA to find appropriate solutions,” it added.

However the company is also disputing the Dutch DPA’s findings — and says it has shared “specific concerns” with the watchdog about the “accuracy of some of its findings and conclusions”.

It has compiled a point-by-point rebuttal on these points of disagreement here.

For example Microsoft disagrees with the Dutch DPA that it “does not clearly inform users about the type of data it uses, and for which purpose” — because it says Windows 10 users “can learn about their privacy choices and controls”, going on to flag various other means by which it says users can “learn”, such as via its Privacy Choice Screen, or via “Learn more documents” or via the “Microsoft Privacy Statement” or via “blogs and other documentation we publish”.

However the DPA’s point is about clearly informing users what personal data Microsoft is gathered for what purposes. Whereas Microsoft is essentially saying that Windows 10 users should make the effort to learn about that stuff themselves — by navigating a number of different data sources (and in some instances pro-actively locating relevant information on one of Microsoft’s myriad webpage, such as its Windows IT Pro site, themselves).

It remains to be seen how impressed the Dutch DPA will be with those kind of arguments.

Next year a new data protection framework (GDPR) comes into force across Europe which further tightens the rules around obtaining consent from data subjects for processing their personal data — requiring that consent be “specific, granular, clear, prominent, opt-in, properly documented and easily withdrawn”, as the UK watchdog puts it.

The Dutch DPA’s assertion here, with Windows 10, is that Microsoft is failing to obtain “valid consent for the processing of [people’s] personal data” under current EU DP law — pointing out that, for example, it uses “opt-out options” so does not obtain “unambiguous consent”.

It further notes: “If a person does not actively change the default settings during installation, it does not mean he or she thereby gives consent for the use of his or her personal data.”

And, in the EU at least, the consent bar for processing personal data is only going to step up. So Microsoft may well need to make rather more substantial changes to how Windows 10 goes about sucking up users’ metadata in the coming months.