France's data protection commission has ordered Microsoft to "stop collecting excessive user data" and to stop tracking the web browsing of Windows 10 users without their consent. In a notice published on Wednesday, the CNIL said that Microsoft must also take steps to guarantee "the security and confidentiality" of its users' personal information, after determining that the company was still transferring data to the US under the "Safe Harbor" agreement that an EU court invalidated in October. Microsoft has three months to comply with the orders, the CNIL said.

The CNIL, France's privacy watchdog, based its decision on an investigation carried out between April and June of this year. The organization says that other European data protection authorities formed a "contact group" to investigate Microsoft's data collection practices following the release of Windows 10 last June. In September 2015, Terry Myerson, Microsoft's Windows chief, responded to growing privacy concerns surrounding Windows 10, saying that the operating system "collects information so the product will work better for you," and that users "are in control with the ability to determine what information is collected."

CNIL wants "users to make their choice freely"

The CNIL says it decided to issue the notice due to the "seriousness of the breaches and the number of individuals concerned," saying there are more than 10 million Windows users in France. The CNIL found that Microsoft is collecting "excessive" data on Windows 10 users, including the specific apps they download and how much time they spend on each one. The organization added that the company uses cookies to serve personalized ads without properly informing users or allowing them to opt out, and that the four-character PIN system used to access Microsoft services is insecure, because there is no limit on the number of attempts a user can make.

If Microsoft does not comply within the three-month window, the CNIL says it may appoint an investigator who could recommend sanctions against the company. "The purpose of the notice is not to prohibit any advertising on the company’s services but, rather, to enable users to make their choice freely, having been properly informed of their rights," the CNIL said in a statement.

The CNIL has issued similar notices against US tech companies in the past. Last year, the organization ordered Google to expand Europe's "right to be forgotten" ruling to cover all Google sites, and earlier this year, it ordered Facebook to stop tracking the web browsing of non-users, giving the company three months to comply.

In a statement provided to Reuters, Microsoft vice president and deputy general counsel David Heiner said that the company will work with CNIL to develop "solutions that it will find acceptable."

Windows 10 review