Windows 10: CNIL issues Microsoft with formal notice

On 30 June 2016, after carrying out checks on data processed by the Windows 10 operating system, CNIL (the French Data Protection Commission) issued Microsoft with formal notice to comply with French regulations concerning protection of personal data (ruling no. 2016-058 of 30 June 2016). It also ruled that the decision should be made public, given the scale of the violations in question.

Indeed, CNIL identified no fewer than six violations of the French Data Protection Act:

• excess nature of the data collection: CNIL ruled that the information collected during the "basic" installation of the operating system was excessive in relation to the purpose of the processing, i.e. the simple functioning of the service;
• insufficient information provided to the persons in question: the data-owners did not receive any of the mandatory information at the time the data was collected. Neither did information concerning transfer of the data to third-party countries appear in Microsoft's confidentiality policy;
• non-compliance with regulations relating to use of cookies and similar technologies: during its inquiry, CNIL found that Microsoft, by default, placed advertising cookies on users' computers, despite such installation in principle requiring the explicit consent of the person concerned. CNIL also requires very specific and exhaustive wording to be brought to the data-owner's attention before any cookies are installed, another obligation breached by Microsoft. Finally, CNIL found that Windows 10 users did not have sufficient opportunity to object to cookies and similar technologies;
• breach of security obligation: a four-digit PIN code to open a session in Windows 10 is systematically used by Microsoft to identify the person concerned. CNIL found that this authentication process was not sufficiently secure and constituted a breach of the security obligation under the French Data Protection Act;
• lack of CNIL authorisation: according to the French Data Protection Act, a data controller may not establish processing without having first declared it or, in some cases, without obtaining authorisation from CNIL. However, Microsoft had established a processing procedure designed to detect fraud which could potentially exclude the person concerned from the benefit of a right or a contract. This type of sensitive processing requires prior authorisation, which Microsoft had not obtained – or even sought;
• continued transfer of data based on Safe Harbor principles: CNIL notified Microsoft that Safe Harbor principles were no longer a legal ground for the transfer of data to the United States (for more on this subject, see: "The CJEU challenges the procedure for transfer of data to the United States - the end of Safe Harbor", in the Intellectual Property newsletter from October 2015). The company therefore had no appropriate framework for the storage and processing in the United States of data collected in France. Microsoft must therefore establish appropriate protection for data collected in France (or any European Union Member State).

Microsoft was given three months – until 30 September 2016 – to end these violations of the French Data Protection Act.

The company faces a penalty if it fails to comply with the formal notice by that deadline. In addition to the administrative fine which may be issued by CNIL (up to €150,000 for a first violation), the ruling reminds Microsoft that criminal fines may also apply (up to €7,500 in respect of points 2 and 3, and up to €1,500,000 in respect of points 4 and 5). CNIL's latest ruling is likely to be published in the coming weeks.