Privacy
Data Protection Watchdog Could Fine Microsoft $1.7 Million
Jeremy Kirk (jeremy_kirk) •
July 21, 2016
France's data protection watchdog has slammed Microsoft Windows 10 for collecting excessive amounts of personal data and failing to use strong security controls. Under the country's data protection laws, Microsoft may now face up to $1.7 million in fines.
See Also: From Authentication to Advanced Attack Vectors: Top Trends in Cybercrime in Q1 2016
Microsoft has until Sept. 30 to respond to the notice from the chair of the National Data Protection Commission. Under French law, this independent authority, also known as CNIL, has the power to levy fines for violating France's data protection laws. And the agency has not hesitated to use that power before, for example against Google.
CNIL claims that Windows 10 has numerous problems relating to how it collects user data, implements specific security controls and handles cookies, which are often used for tracking users and serving related advertising.
The agency has also accused Microsoft of continuing to transmit data under the now defunct Safe Harbor provisions. The European Court of Justice last year ruled that the provisions were illegal, and they're now due to be replaced by a new agreement called Privacy Shield. But in the interim, any organizations that have continued to rely on Safe Harbor - without demonstrating compliance with EU data privacy laws using some other legal technique - have left themselves exposed to enforcement actions by European regulators.
Now, according to the formal notice served by CNIL, Microsoft could face up to 1.5 million euros ($1.65 million) in fines for two of its alleged data privacy law violations as well as 7,500 euros ($8,260) for a third.
Microsoft says in a statement that it has built strong privacy protections into Windows 10 and is continually working on improvements.
"We will work closely with the CNIL over the next few months to understand the agency's concerns fully and to work toward solutions that it will find acceptable," according to a statement from David Heiner, Microsoft's vice president and general counsel.
Finding: Windows 10 Leaks Personal Data
The formal request from CNIL to Microsoft follows an examination that the agency conducted earlier this year of Windows 10, including watching its behavior when connected to the internet. CNIL has also queried Microsoft about its related privacy polices.
Regulators say they found that Windows 10, released in July 2015, collects a variety of diagnostic and usage data for apps downloaded by users, including the time spent using the apps (see Windows 10: Security, Privacy Questions).
"Therefore, the company is collecting excessive data, as these data are not necessary for the operation of the service," according to CNIL's notice to Microsoft.
CNIL also notes that while Windows 10 lets users pick a four-character PIN to access their Microsoft account and purchase apps, "the number of attempts to enter the PIN is not limited, which means that user data is not secure or confidential."
Furthermore, users are allowed to create a PIN of "0000," the agency says. "This weak password without a combined mechanism to limit the number of unsuccessful authentication attempts does not ensure the security or confidentiality of the data," CNIL says.
The operating system also installs advertising trackers known as cookies without properly informing users of this in advance "or enabling them to oppose this," CNIL alleges, which would violate EU law.
No Safe Harbor
The move by CNIL against Microsoft follows the European Court of Justice invalidating the 15-year-old Safe Harbor framework in October 2015, ruling that the United States failed to provide an adequate level of protection for EU citizens' data, as required under European law (see EU Court Invalidates U.S.-EU Data Sharing Agreement). The ruling was fueled, in part, by former National Security Agency contractor Edward Snowden's leak of secret intelligence documents in 2013 that showed how U.S. authorities were running a mass surveillance program that amassed European's personal data.
The court's decision set off a scramble to create a new framework under which technology companies could legally transfer personal data between the U.S. and European Union without having to demonstrate full compliance with all EU regulations. The sides reached an agreement in February, and a commercial pact - Privacy Shield - was passed on July 12. Companies can start self-certifying with Privacy Shield beginning on August 1 (see 'Privacy Shield' to Replace Safe Harbor).
Under the new agreement, the U.S. government agreed to limit its access to Europeans' data, commit to regular reviews of data handling practices and ensure compliance by companies through the U.S. Federal Trade Commission.
Microsoft's Heiner writes that the company intends to adopt Privacy Shield and will issue an updated privacy policy in August. Microsoft says it adhered to the Safe Harbor framework, as well as other legal measures, while negotiators worked toward a new data-sharing pact.
"As we state in our privacy statement, in addition to the Safe Harbor Framework we rely on a variety of legal mechanisms as the basis for transferring data from Europe, including standard contractual clauses, a data transfer mechanism established by the European Commission and approved by European data protection authorities, to cover data flows from the European Union to the United States," Heiner writes.
Legal Uncertainty
But it's unclear if whatever arrangements Microsoft had in place will stand up to CNIL's scrutiny, which may leave the company vulnerable to fines. On June 6, for example, a German regulator fined three companies - software maker Adobe; fruit juice maker Punica, which is a subsidiary of PepsiCo; and Anglo-Dutch consumer goods group Unilever - for failing to establish "allowed alternative methods even six months after the cessation of the Safe Harbor Agreement," according to the Hamburg Commissioner for Data Protection and Freedom of Information. "The data transfer of these companies to the USA was thus without any legal basis and unlawful."
But the German regulator said that after it launched its related investigation, all three companies had "changed their data transfer legally to standard contractual clauses." As a result, it imposed fines that collectively totaled just 28,000 euros ($31,000) against the three companies.
Executive Editor Mathew J. Schwartz contributed to this story.