Dutch data regulator warns Windows 10 still breaches user privacy

The Dutch data protection regulator has accused Microsoft of remotely collecting data from Windows Pro and Windows 10 Home users in what could constitute yet another breach of EU data law.

The agency was testing changes to the company's data collection policies, introduced by Microsoft last year, when it discovered that diagnostic and non-diagnostic data was still being collected.

"A follow-up check by the Dutch DPA has shown that the changes have led to concrete improvements," the DPA said in a statement supplied to IT Pro. "Microsoft has complied with the agreements made. However, the check also brought to light that Microsoft is remotely collecting other data from users. As a result, Microsoft is still potentially in breach of privacy rules."

Details of the data collection have been passed over to the Irish Data Protection Commission, the local authority to Microsoft's EU headquarters.

The Dutch authority was the first to raise concerns about Microsoft's data collection habits, concluding in 2017 that the way Windows 10 operates was in breach of its local data laws. It found that Microsoft was collecting large volumes of application usage data, such as dwell time, how the user interacted with the app, and how often they are active, as well as data that tracked what sites were visited on its Edge browser.

Microsoft eventually agreed to make changes to its policy in April 2018, a month before GDPR came into force. It's those changes that the Dutch data regulator is now questioning, only this time data laws are now standardised across the bloc and present a much tougher front for Microsoft to contend with.

Microsoft said it will continue to work with the Irish authority to address any further concerns related to data privacy.

"Microsoft is committed to protecting our customers' privacy and putting them in control of their information," a statement to TechCrunch read. "Over recent years, in close coordination with the Dutch data protection authority, we have introduced a number of new privacy features to provide clear privacy choices and easy-to-use tools for our individual and small business users of Windows 10."

"We welcome the opportunity to improve even more the tools and choices we offer to these end users."

This is not the first time Microsoft has been warned about its data policies since the introduction of GDPR. In November 2018, the Dutch data authority urged users to ditch Office 365 and Windows Enterprise after it discovered eight high-risk collection practices, including the unlawful storage of sensitive data considered sensitive under GDPR, and keeping data beyond the allowed timeframe.

Following that incident, Microsoft agreed to adapt its products to comply with Dutch laws and GDPR, and agreed to supply regular reports on its progress.

Contributor

Dale Walker is a contributor specializing in cybersecurity, data protection, and IT regulations. He was the former managing editor at ITPro, as well as its sibling sites CloudPro and ChannelPro. He spent a number of years reporting for ITPro from numerous domestic and international events, including IBM, Red Hat, Google, and has been a regular reporter for Microsoft's various yearly showcases, including Ignite.