France on Thursday, served a formal notice to Microsoft seeking an end to what it deems excessive data collection– it also sought to stop tracking of ‘browsing users’ without their consent on civil liberty grounds.
France’s National Data Protection Commission (CNIL) said in a statement it had given the US computing giant three months to comply with the French Data Protection Act to ensure user data security and confidentiality.
CNIL made the demand after Microsoft launched its latest Windows 10 operating system a year ago, saying media and political groups had brought the issue to its attention.
- ‘Sharing’ user data: Govt asks Facebook for explanation
- What Facebook shared, with whom
- WhatsApp warned not to share data with Facebook by French watchdog
- European regulators join forces to probe Facebook over privacy concerns
- France to fine Google euro 300,000 over privacy rules
- Six European countries move against Google over privacy
The French indicated those investigations “revealed many failures” including collection of “irrelevant or excessive (user) data”.
The CNIL also criticised Microsoft for allowing users to choose a four character PIN number to authenticate access to on-line services, but without limiting the number of attempts to enter the correct code, something the French deemed liable to hit data and personal security.
The French also decried Windows 10’s use of targeted advertising without first obtaining the consent of users and the absence of a means to block cookies.
“The company puts advertising cookies on users’ terminals without properly informing them of this in advance or enabling them to oppose this,” said the CNIL in a statement issued in French and English.
CNIL also said Microsoft was still transferring user data outside the European Union even though last October the European Court of Justice ruled on privacy grounds that the transfer of European citizens’ data to the United States under the obsolete “safe harbour” basis was no longer valid.
The French body added that should Microsoft fail to comply with the formal notice CNIL would draw up a report on Data Protection Act breaches which could result in a 150,000 euros (USD 165,000) fine.