privacy big brother
© Pixabay
European Union data protection authorities have expressed fresh concerns about the privacy of Microsoft's Windows 10 operating system, despite tweaks being made to the OS after questions were raised about its treatment of personal data last year.

In a letter, the Article 29 Working Group said it still has "significant concerns" about how Microsoft collects and processes users' personal data, and whether it obtains fully informed consent from users to do so.

"There is an apparent lack of control for users to prevent collection or further processing of such data. As a result, the Working Party specifically requests further explanatory information from Microsoft, as to how the opt-outs, default settings and other available control mechanisms presented during the installation of Windows 10 operating system provide a valid legal basis for the processing of personal data under the Data Protection Directive 95/46/EC. This is especially of concern where Microsoft would rely on consent as a legal basis for the processing of personal data," the statement said.

Windows 10 launched in July 2015, and almost immediately garnered criticism for the use of default settings to harvest voluminous amounts of user data, such as web browsing history, WIFI network names and passwords, in order to display personalized adverts as users browse the web or play games. User data is also fed in to train Microsoft's Cortana digital assistant.

While users were given the ability to opt-out of data collection, the process for doing so was criticized for being complex and opaque, comprising 45 pages of privacy policy documents, with opt-out settings spread across 13 different screens and housed on an external website.

In response, the Article 29 Working Party instigated an investigation, as did several national data protection authorities, including France's CNIL. Their independent conclusions were much the same; the company must stop excessive data collection.

Among the breaches CNIL accused Microsoft of were failing to obtain notice for data transfers, breaking cookie law requirements, having inadequate security protections for personal data, failure to file an authorization request for processing personal data for fraud prevention purposes, and breach of cross-border data transfer restrictions.

CNIL set a deadline of January 31 for Microsoft to comply with their recommendations, although the Working Group's warning suggests the tech giant is yet to fulfil their obligations, meaning it can be fined. In all, Microsoft could face fines of up to US$3.2 million for breaches of domestic privacy laws.

The EU General Data Protection Regulation, due to come into force May 2018, increases the potential penalties for companies breaching EU data protection law, with fines of up to four percent of annual turnover for enterprises found to be non-compliant.

The issue of informed consent in respect of data sharing has also seen Facebook and WhatsApp fall foul of European regulators; the companies were forced to suspend data sharing after making a change to WhatsApp's privacy policy that pushed users to consent to sharing information such as their mobile phone number with the messaging app's parent company.

In a statement, European Digital Rights said Microsoft "grants itself very broad rights to collect everything you do, say and write" on Windows 10-equipped devices in order to sell more targeted advertising or to sell your data to third parties.

"The company appears to be granting itself the right to share your data either with your consent "or as necessary." Microsoft's updated privacy policy is not only bad news for privacy. Your free speech rights can also be violated on an ad hoc basis," the statement said.