Security Experts:

Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Privacy

France Serves Notice to Mircosoft on Data Tracking

Paris – France on Wednesday said it had served notice to Microsoft to stop collecting what it deems excessive data and tracking browsing by users without their consent on civil liberty grounds.

Paris – France on Wednesday said it had served notice to Microsoft to stop collecting what it deems excessive data and tracking browsing by users without their consent on civil liberty grounds.

The National Data Protection Commission (CNIL) said in a statement that it had given the US computing giant three months to comply with the French Data Protection Act to ensure user data security and confidentiality.

The agency said media and political groups brought the issue to its attention after Microsoft launched its latest Windows 10 operating system a year ago.

CNIL undertook seven “online observations” to determine the extent of the problem and questioned Microsoft Corporation on its privacy policy to see if Windows 10 fully complied with French data protection legislation, the agency said.

Those investigations “revealed many failures” including collection of “irrelevant or excessive (user) data”, the statement said.

CNIL also criticized Microsoft over the four-character PIN number that enables users to authenticate access to online services, saying the tech giant failed to limit the number of attempts to enter the correct code, threatening data and personal security.

The agency condemned Windows 10’s use of targeted advertising without first obtaining users’ consent, as well as the operating system’s lack of a way to block cookies.

“The company puts advertising cookies on users’ terminals without properly informing them of this in advance or enabling them to oppose this,” the statement said.

Microsoft is still transferring user data outside the European Union even though the European Court of Justice ruled on privacy grounds in October that the transfer of European citizens’ data to the United States under the obsolete “safe harbor” basis was no longer valid, CNIL said.

Should Microsoft fail to comply with the formal notice, CNIL would draw up a report on Data Protection Act breaches that could result in a fine of 150,000 euros ($165,000), the agency added.

Microsoft said it would cooperate with CNIL to address its concerns.

“We built strong privacy protections into Windows 10, and we welcome feedback as we continually work to enhance those protections,” Microsoft vice president David Heiner said in a statement.

Concerning transfer of data from Europe to the United States, Microsoft relies on a variety of legal mechanisms, in addition to “safe harbor”, he added.

After a legal wrangle over handling web data between Europe and the United States, the European Union earlier this month launched a controversial deal with Washington aimed at curbing government spying on EU citizens’ personal internet data.

A new “Privacy Shield” sets out tough rules to prevent US intelligence agencies from accessing Europeans’ data, with companies facing penalties if they do not meet European standards of protection.

Microsoft will release an updated privacy statement next month that will say it intends to adopt the Privacy Shield, the company said.

But critics say the new arrangements do not go far enough and will face legal challenges.

*Updated with statement from Microsoft

Written By

AFP 2023

Click to comment

Expert Insights

Related Content

Privacy

The EU's digital policy chief warned TikTok’s boss that the social media app must fall in line with tough new rules for online platforms...

Privacy

Meta was fined an additional $5.9 million for violating EU data protection regulations with WhatsApp messaging app.

Cybersecurity Funding

Los Gatos, Calif-based data protection and privacy firm Titaniam has raised $6 million seed funding from Refinery Ventures, with participation from Fusion Fund, Shasta...

Mobile & Wireless

As smartphone manufacturers are improving the ear speakers in their devices, it can become easier for malicious actors to leverage a particular side-channel for...

Application Security

Microsoft’s security patching machine hummed into overdrive Tuesday with the release of fixes for at least 97 documented software vulnerabilities, including a zero-day that’s...

Compliance

The Federal Communications Commission (FCC) is proposing tighter rules on the reporting of data breaches by wireless carriers.The updated rules, the FCC says, will...

Cloud Security

AWS has announced that server-side encryption (SSE-S3) is now enabled by default for all Simple Storage Service (S3) buckets.

Privacy

Employees of Chinese tech giant ByteDance improperly accessed data from social media platform TikTok to track journalists in a bid to identify the source...