Governance, Risk and Compliance, Content, EMEA, Europe

Did Microsoft Violate GDPR Compliance Rules?

Dutch data protection and privacy regulators have asked a European Union (EU) investigator in Ireland to look into whether Microsoft remotely collected data on Windows Home and Windows Pro users in violation of General Data Protection Regulation (GDPR) privacy rules.

The Dutch Data Protection Agency (DPA) reportedly said it discovered the remote data collection while testing privacy protection changes in Windows made last year. The agency said Microsoft had complied with prior agreements for its software but may have violated GDPR privacy rules by remotely gathering other data from users. Apparently, during Windows 10 on-boarding, Microsoft's software makes multiple requests to process user data for various reasons including advertisements.

“Microsoft is permitted to process personal data if consent has been given in the correct way,” the DPA said (via TechCrunch). “We’ve found that Microsoft collect diagnostic and non-diagnostic data. We’d like to know if it is necessary to collect the non-diagnostic data and if users are well informed about this...Does Microsoft collect more data than they need to? Those questions can only be answered after further examination.”

Since Microsoft has a regional headquarters in Ireland, the issue falls under the EU’s GDPR framework and within the purview of the Irish Data Protection Commission (DPC). Accordingly, the DPA referred its findings to the DPC.

This is what Microsoft told TechCrunch:

“The Dutch data protection authority has in the past brought data protection concerns to our attention, which related to the consumer versions of Windows 10, Windows 10 Home and Pro. We will work with the Irish Data Protection Commission to learn about any further questions or concerns it may have, and to address any further questions and concerns as quickly as possible.

“Microsoft is committed to protecting our customers’ privacy and putting them in control of their information. Over recent years, in close coordination with the Dutch data protection authority, we have introduced a number of new privacy features to provide clear privacy choices and easy-to-use tools for our individual and small business users of Windows 10. We welcome the opportunity to improve even more the tools and choices we offer to these end users.”

Should Microsoft be judged to have violated EU data privacy rules, GDPR regulators could hit it with a fine up to 4 percent of its annual revenue worldwide.

D. Howard Kass

D. Howard Kass is a contributing editor to MSSP Alert. He brings a career in journalism and market research to the role. He has served as CRN News Editor, Dataquest Channel Analyst, and West Coast Senior Contributing Editor at Channelnomics. As the CEO of The Viewpoint Group, he led groundbreaking market research.