The Netherlands Finds Microsoft in Violation of Privacy Law

The Netherlands is often described as having an indifferent stance to drugs, LGBT rights, privacy and, well, pretty much all social issues, so when the Dutch government suggests something presents an issue worthy of regulation and enforcement, it should raise eyebrows. Recently, the Dutch body responsible for the regulation of privacy protections, the Data Protection Agency (DPA), found that US-based Microsoft Corporation’s popular operating system “Windows 10” fails to allow users to provide informed consent before collecting personal information about their data use. Further, the DPA found that an update pushed by Microsoft does not necessarily maintain previous user-selected preferences, potentially defaulting to the collection of an unknown, potentially vast, amount to user-generated data. Perhaps unsurprisingly, Microsoft has issued a statement detailing their categorical denial of many of the DPA’s findings.

The product in question, Windows 10, is an operating system released in 2015 that is estimated to be running on over 400 million computers and potentially 1 out of 6 computers, tablets, and mobile devices worldwide. One of the attractive features of Windows 10, a service provided by Microsoft, it its ability to track user problems in the aggregate, report that data back, and receive updates pushed remotely from Microsoft. Though this technology is far from new or unique, the manner in which Windows 10 has taken to effect this service has been fraught with concerns. In order to understand the issues experienced by users, Windows 10 collects information, termed “telemetry data,” that allows the corporation to note the circumstances of each error or issue. The system allows users to select from two settings, basic and full. Whereas both basic and full settings allow for the collection of some data, the full setting provides the basis for more than simple technical support, to include targeted advertisements based off of use. Moreover, while users can determine which discrete sets of data are subject to reporting in the basic setting, Microsoft has not explicitly done the same for the default, full setting. In essence, if a user does not actively de-select the full setting, their operating system will report a potentially limitless amount of data.

The DPA is neither calling for a complete ban on Windows 10, nor an opt-out option which would allow users to send no data back to Microsoft. Instead, it suggests that Microsoft take greater steps to comply with the Dutch requirement that companies obtain “valid user consent.” “Microsoft,” the DPA states, “offers users an overview of the categories of data that it collects through basic telemetry, but only informs people in a general way, with examples, about the categories of personal data it collects through full telemetry. The way Microsoft collects data at the full telemetry level is unpredictable.” Most significantly, the agency found that “[t]hrough this . . . lack of transparency Microsoft cannot obtain a legal ground, such as consent, for the processing of data.”

In light of this legal conflict, Microsoft and other competitors may find themselves required to comply with higher levels of transparency or face similar litigation. It’s only a matter of time before the same values that drove the current conflict cross the Atlantic and spark a reduced concern for privacy in the United States. Should the concern catch on, Microsoft may have to amend its practices to allow greater transparency in regard to data collection.