Ever since Microsoft launched Windows 10 in 2015, several accusations of personal data intrusion have plagued the operating system. While the Redmond giant later introduced changes to the privacy controls for users of the platform, it seems the software titan has not completely pleased some regulators despite them — not least of them those of the European Union.
The Article 29 Working Party, which consists of 28 governing bodies that implement EU’s data protection laws, remains concerned about the privacy settings and data collection policies embedded in Windows 10. More specifically, concern lingers around the volume of data the OS gathers by default. The EU also raises doubts about whether Microsoft collects and processes all this data with full user consent.
Microsoft’s most recent tweak to the privacy control setup in Windows 10 occurred last month. The company claimed that the tweak aimed to simplify the Diagnostic data levels and minimize the amount of data gathered at the Basic level. Microsoft is set to roll out the new privacy settings structure to users via the Windows 10 Creators Update, which will land in April 2017.
A few days after the company posted a blog about the privacy changes, the data protection watchdog sent a letter to Microsoft, raising some concerns about how the company intends to process personal data of users. The group wrote:
The Working Party has significant concerns with some of the personal data collected and further processed by Microsoft within the Windows 10 operating system and specifically the default settings or apparent lack of control for a user to prevent collection or further processing of such data.
As a result the Working Party specifically requests further explanatory information from Microsoft, as data controller for this personal data, as to how the opt-outs, default settings and other available control mechanisms presented during the installation of Windows 10 operating system provide a valid legal basis for the processing of personal data under the Data Protection Directive 95/46/EC.
This is especially of concern where Microsoft would rely on consent as a legal basis for the processing of personal data. The Working Party has previously published Opinion 15/2011 on the definition of consent which highlights that for consent to be considered valid it must be fully informed, freely given and specific.
Do you agree with the data privacy watchdog’s demand for an explanation about the kinds of personal data processed by Microsoft? Share your thoughts in the comments.