Connect with us

Hi, what are you looking for?


Privacy & Compliance

French Regulator Accepts Microsoft’s Data Protection Improvements to Windows 10

CNIL Accepts Microsoft’s Data Protection Improvements to Windows 10

CNIL Accepts Microsoft’s Data Protection Improvements to Windows 10

CNIL, the French data protection regulator, has closed the formal notice procedure it served on Microsoft on June 30, 2016 over privacy concerns relating to Windows 10. “Since then,” says CNIL, “the company has brought itself into line with data protection rules, the formal notice procedure has therefore been closed.”

In a statement emailed to SecurityWeek, Microsoft commented, “We are committed to protecting our customers’ privacy and putting them in control of their information. We appreciate the French data protection authority’s decision and will continue to provide clear privacy choices and easy-to-use tools in Windows 10.”

The notice was served last year with three particular concerns: the excessive collection of personal data; the tracking of users’ web-browsing without their consent; and a lack of security and confidentiality of users’ data. Since then, Microsoft has addressed each issue to CNIL’s satisfaction.

On the first, Microsoft has reduced the amount of data it collects by nearly half. “it has restricted its collection to the sole data strictly necessary for maintaining the proper functioning of its operating system and applications, and for ensuring their security,” notes CNIL.

On the second concern, Microsoft now makes it clear that an advertising ID is intended to track web-browsing in order to offer personalized advertising. This now has to be activated or deactivated at installation, and users can reverse the choice at any time.

Over security concerns, Microsoft “has strengthened the robustness of the PIN code allowing users to authenticate to all company’s online services, and more specifically to their Microsoft account,” notes CNIL: “too common PIN code combinations are now forbidden.”

Advertisement. Scroll to continue reading.

Microsoft has also addressed the other injunctions within the formal notice. It has inserted the information required under Article 32 of the French Data Protection Act; it has requested CNIL authorization for its processing of personal data; it has joined Privacy Shield; and it has ceased placing advertising cookies without obtaining users’ consent.

“The Chair of the CNIL has considered that the company had complied with the French Data Protection Act and has therefore decided to proceed to the closing of the formal notice,” says the CNIL announcement.

Given the size of the sanctions that will become available to CNIL when the GDPR comes into force in May 2018, it is probably a wise move by Microsoft to get compliance sorted now.

Written By

Kevin Townsend is a Senior Contributor at SecurityWeek. He has been writing about high tech issues since before the birth of Microsoft. For the last 15 years he has specialized in information security; and has had many thousands of articles published in dozens of different magazines – from The Times and the Financial Times to current and long-gone computer magazines.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join security experts as they discuss ZTNA’s untapped potential to both reduce cyber risk and empower the business.


Join Microsoft and Finite State for a webinar that will introduce a new strategy for securing the software supply chain.


Expert Insights

Related Content


The three primary drivers for cyber regulations are voter privacy, the economy, and national security – with the complication that the first is often...

Cybersecurity Funding

Los Gatos, Calif-based data protection and privacy firm Titaniam has raised $6 million seed funding from Refinery Ventures, with participation from Fusion Fund, Shasta...


Many in the United States see TikTok, the highly popular video-sharing app owned by Beijing-based ByteDance, as a threat to national security.The following is...


Employees of Chinese tech giant ByteDance improperly accessed data from social media platform TikTok to track journalists in a bid to identify the source...

Mobile & Wireless

As smartphone manufacturers are improving the ear speakers in their devices, it can become easier for malicious actors to leverage a particular side-channel for...

Cloud Security

AWS has announced that server-side encryption (SSE-S3) is now enabled by default for all Simple Storage Service (S3) buckets.

Application Security

Microsoft’s security patching machine hummed into overdrive Tuesday with the release of fixes for at least 97 documented software vulnerabilities, including a zero-day that’s...