On October 13, 2017, the Dutch Data Protection Authority (DPA) released a report concluding that Microsoft’s Windows 10 operating system breaches local privacy law.1 The report bases its conclusion on the operating system’s processing of personal information in relation to telemetry data—diagnostic system information used to fix errors and improve products.2 According to the report, Holland’s four million active Windows 10 users were not being clearly informed of how Microsoft was using their personal information.3 This is not the first time Windows 10 has been scrutinized for its user privacy protection. Officials from France,4 Germany,5 and Switzerland6 have all previously expressed concern with how the operating system ensures users remain in control of their private data.
The report primarily claims Windows 10 violates the Dutch Personal Data Protection Act (Wbp).7 According to section eight of the Wbp, a company may only use personal data under limited circumstances.8 Possible circumstances include: processing personal information with the user’s consent; processing personal information as part of a contract with the user; or processing personal information to further a “legitimate interest” as long as that interest is not outweighed by a greater, more fundamental privacy interest of a user.9 The report also refers to violations of the Dutch Telecommunications Act, which requires user consent for the storing or reading of information from a user’s device.10
According to the report, Windows 10 violates Dutch privacy law through its default telemetry data settings.11 The report describes Windows 10 as offering users two levels of telemetry data sharing: basic and full.12 When a user installs the operating system, the default telemetry level is set to full.13 This default full setting allows Windows 10 to collect user information on what apps a user is using and their web browser histories.14 Additionally, the report alleges Windows 10’s default settings allow telemetry data to be used to “show personalized advertisements and recommendations” to a user.15 These default settings essentially allow Windows 10 to collect a user’s online behavior and use that information to show the user advertisements based on that information. Because the settings are in place as default, a user cannot provide “specific, informed, unambiguous, and free”16 consent to use personal information “to treat a person in a certain way or influence the behavior of that person.”17 Likewise, Microsoft cannot claim a “legitimate interest” to process user telemetry data for advertising because a user’s browser and app history is highly sensitive in nature.18 The report determines that the default setting then violates the law.19
On the same day of the report’s release, Microsoft responded to the Dutch DPA’s allegations in a blog post.20 In the post, Microsoft assured its customers that Windows 10 is “clearly compliant under Dutch law.”21 The post linked to a list of critiques of the report’s claims, but asserted that Microsoft was willing to “cooperate with the [Dutch] DPA to find appropriate solutions.”22
For example, Microsoft states that Windows 10 clearly informs users of company’s data practices because “users can learn about the data [Microsoft] collect[s] and how it is used in a variety of ways.”23 The critique also notes that “[u]sers can change their privacy settings at any time.”24
The Dutch DPA has yet to respond to Microsoft’s challenge to the report, but any response is likely to be negative, as the conflict has a deeper foundation. Microsoft’s main contention is that users should actively “learn” about their “privacy choices and control” to add more privacy protection.25 The DPA’s clear position, however, is that the default setting should be more protective.26 In any event, while Microsoft has expressed a willingness to “end all violations,” Dutch authorities have made clear that sanctions could be imposed if the company fails to do so.27