Microsoft may have been changing its course about data collection, but authorities are still unhappy about some aspects of the company's telemetry processes. Earlier in the year, the company promised to clearly communicate exactly how much data it collects from its Windows 10 users, publishing a detailed list. Now, Autoriteir Persoonsgegevens, the Dutch data protection authority (DPA) has said that the company hasn't clarified what it does with that data, preventing users from giving informed consent.
Microsoft needs to get valid user consent
The data regulator, in short, says that the latest Redmond operating system is breaking the law. "It turns out that Microsoft's operating system follows about every step you take on your computer," Wilbert Tomesen, vice-chairman of the watchdog, said.
"That results in an intrusive profile of yourself. What does that mean? Do people know about this, do they want this? Microsoft needs to give users a fair opportunity to decide about this themselves."
The regulator added that the company "does not clearly inform users that it continuously collects personal data about the usage of apps and web surfing behaviour through its web browser Edge, when the default settings are used."
Following several now-closed investigations, including a similar one from a French authority, the Dutch watchdog also demands the Redmond software maker to be more transparent and unambiguous about its data collection practices. Following the earlier investigations, the company offered an overview of the data that it collects through its two levels of telemetry (Basic and Full) settings. However, the watchdog says that "the way Microsoft collects data at the full telemetry level is unpredictable."
"Microsoft can use the collected data for the various purposes, described in a very general way. Through this combination of purposes and the lack of transparency Microsoft cannot obtain a legal ground, such as consent, for the processing of data."
In our own poll here at Wccftech, over 13% of respondents said that they never noticed the new privacy settings when upgrading to Windows 10 Creators Update. The setting is set to Full as a default, which should be set to Basic to make sure that users who keep hitting the "next" button are also taking advantage of the data protections in place.
Consent; informed and unambiguous
Microsoft needs to obtain valid consent from users to process their personal data. Therefore, people must be well informed and need to know precisely to what they say yes. This is not the case. The information that Microsoft provides in the installation screen of the Creators Update about the different choices for data processing, falls short. It is not made sufficiently clear that at the full telemetry level, Microsoft continuously collects data about the usage of apps and web surfing behaviour through Edge, including for example news articles that have been read and locations entered into apps.
DPA wants Microsoft to get a valid and informed user consent that is based on clear information on both what data is being collected and how that data is processed. In its response to the DPA, Microsoft has disagreed with various points that the authority has made, saying that the company does share enough information for users to make informed decision.
The Dutch DPA warned that if Microsoft doesn't end its "violations," the watchdog will impose "a sanction" on the company. Microsoft added that though it disagrees with several objections, it plans to "collaborate with the Dutch DPA to discuss key aspects of" its data processing operations and implement improvements.
"We have also shared specific concerns with the Dutch DPA about the accuracy of some of its findings and conclusions," Microsoft writes in its response. The company has also pointed to how it keeps listening to feedback to introduce better privacy controls for users. "Next week, we have even more privacy improvements coming in the Fall Creators Update," Microsoft promised.