Windows 10 is collecting too much data from its French users, the country’s privacy watchdog said in a formal notice to Microsoft this week.
The Commission Nationale de L’Informatique et des Libertés (CNIL) has also accused the software giant of tracking Windows 10 users and serving up targeted ads without users’ consent.
The CNIL has given Microsoft three months to comply with the French Data Protection Act or face sanctions and or fines.
After an informal investigation, the CNIL came up with several bones of contention, including the transfer of French user data to the U.S., despite Safe Harbor being under suspension since Oct. 6. A ruling by the European Court of Justice made the transfer of personal data between the European Union and the United States, known as Safe Harbor, illegal last fall.
The CNIL also found that Microsoft “puts advertising cookies on users’ terminals without properly informing them of this in advance or enabling them to oppose this.”
Lack of security and lack of consent were also concerns.
“The company allows users to choose a four characters PIN to authenticate themselves for all its on-line services, notably to access to their Microsoft account, which lists purchases made in the store and the payment instruments used, but the number of attempts to enter the PIN is not limited, which means that user data is not secure or confidential,” the CNIL said in a press release, adding, “An advertising ID is activated by default when Windows 10 is installed, enabling Windows apps and other parties’ apps to monitor user browsing and to offer targeted advertising without obtaining users’ consent.”
The CNIL said if Microsoft addresses the issues within the three-month timeframe, no further action will be taken.
Microsoft deputy general counsel David Heiner told Reuters his firm would work closely with the CNIL in the given timeframe to understand its concerns and “work toward solutions that it will find acceptable.”