Microsoft Campus
The Visitor’s Center at Microsoft Headquarters campus is pictured July 17, 2014 in Redmond, Washington. (Stephen Brashear/Getty Images)

Today, Commission Nationale de l’Informatique et des Libertés (CNIL), issued a final warning to Microsoft to stop excessive user data collection. According to CNIL, Microsoft collects a lot of data from Windows 10 users.

CNIL gave the US-based tech company three months to comply with the French Data Protection Act. CNIL warned Microsoft against “collecting excess data and unauthorized tracking of user data.” The Chairman of CNIL requires Microsoft to employ security measures to guarantee the confidentiality of user data. This warning follows many complaints about Windows 10. After a series of investigations, French authorities discovered the mentioned security concerns on Microsoft’s side.

The French data protection authority is not concerned with the excessive data collection. The French authority is also accusing Microsoft of collecting irrelevant data. Windows 10 uses a telemetry service that gathers app data and the duration a user stays on an app. CNIL is confident that such data is not relevant to services the Windows OS offers.

Microsoft also lacks sufficient security. For example, Microsoft users provide a 4-digit PIN to protect payment information. The concern here is that there is no limit to the number of times a user keys in the wrong PIN. Windows 10 also incorporates an advertising ID designed to offer personalized ads without the consent of users. CNIL continues to complain that Windows 10 lacks cookies blocking feature.

CNIL issued a statement saying that they decided to issue the warning because of “the severity of the data breaches and the number of people involved.” In France, there are over 10 million Windows 10 users. The French authority was also quick to point out that the purpose of the warning was not to bar Microsoft from advertising. The data protection body wants Windows 10 users in France to consent the ads, after clearly understanding their rights.

CNIL also has proof that Microsoft is transferring data to the US. Microsoft’s Safe Harbor framework transfers this data. The top EU court struck down this framework after reports about mass US surveillance. It is, therefore illegal to move data from Europe to the US. Companies have had to use standard contractual clauses to transfer data across the Atlantic to the US. According to Microsoft, the company uses this provision and other legal mechanisms to move data from Europe.

Microsoft responded to the CNIL warning through its vice-president, David Heiner. Heiner said that Microsoft would work in close collaboration with CNIL over the next few months. According to him, Microsoft will first understand the concerns of CNIL and then work on acceptable solutions.

Currently, the fines that CNIL can levy against such a big tech company are trivial compared the revenue the company gets annually. However, a new European Union data protection Act is under processing. The Act provides for fines as much as 4% of a business’s annual revenue.