CNIL Accepts Microsoft’s Data Protection Improvements to Windows 10
CNIL, the French data protection regulator, has closed the formal notice procedure it served on Microsoft on June 30, 2016 over privacy concerns relating to Windows 10. “Since then,” says CNIL, “the company has brought itself into line with data protection rules, the formal notice procedure has therefore been closed.”
In a statement emailed to SecurityWeek, Microsoft commented, “We are committed to protecting our customers’ privacy and putting them in control of their information. We appreciate the French data protection authority’s decision and will continue to provide clear privacy choices and easy-to-use tools in Windows 10.”
The notice was served last year with three particular concerns: the excessive collection of personal data; the tracking of users’ web-browsing without their consent; and a lack of security and confidentiality of users’ data. Since then, Microsoft has addressed each issue to CNIL’s satisfaction.
On the first, Microsoft has reduced the amount of data it collects by nearly half. “it has restricted its collection to the sole data strictly necessary for maintaining the proper functioning of its operating system and applications, and for ensuring their security,” notes CNIL.
On the second concern, Microsoft now makes it clear that an advertising ID is intended to track web-browsing in order to offer personalized advertising. This now has to be activated or deactivated at installation, and users can reverse the choice at any time.
Over security concerns, Microsoft “has strengthened the robustness of the PIN code allowing users to authenticate to all company’s online services, and more specifically to their Microsoft account,” notes CNIL: “too common PIN code combinations are now forbidden.”
Microsoft has also addressed the other injunctions within the formal notice. It has inserted the information required under Article 32 of the French Data Protection Act; it has requested CNIL authorization for its processing of personal data; it has joined Privacy Shield; and it has ceased placing advertising cookies without obtaining users’ consent.
“The Chair of the CNIL has considered that the company had complied with the French Data Protection Act and has therefore decided to proceed to the closing of the formal notice,” says the CNIL announcement.
Given the size of the sanctions that will become available to CNIL when the GDPR comes into force in May 2018, it is probably a wise move by Microsoft to get compliance sorted now.
More from Kevin Bowers
- Alexa May Be Recording More Than You Realize
- UK’s NCSC Adopts HackerOne for Vulnerability Coordination Disclosure
- Artificial Intelligence in Cybersecurity is Not Delivering on its Promise
- Untangle Partners With Malwarebytes to Bring Layered Security to SMBs
- Testing Security Products: Third-Party Standards vs. In-House Testing
- New Cyber Readiness Program Launched for SMBs
- Personal Details of 120 Million Brazilians Exposed
- Researchers Find Thousands of Twitter Amplification Bots in Just One Day
Latest News
- Microsoft: Iran Unit Behind Charlie Hebdo Hack-and-Leak Op
- Feds Say Cyberattack Caused Suicide Helpline’s Outage
- Big China Spy Balloon Moving East Over US, Pentagon Says
- Former Ubiquiti Employee Who Posed as Hacker Pleads Guilty
- Cyber Insights 2023: Venture Capital
- Atlassian Warns of Critical Jira Service Management Vulnerability
- High-Severity Privilege Escalation Vulnerability Patched in VMware Workstation
- Exploitation of Oracle E-Business Suite Vulnerability Starts After PoC Publication
