CNIL Hit Microsoft with a Formal Notice

The Problem

Since Microsoft’s release of Windows 10, in July 2015, excessive amounts of personal and usage data have been harboured from its users.

Despite customers turning off all settings that may allow Microsoft to send data to their server in the US, user still have no control over this. Windows 10 harbours this information through their Cortana and Bing products. Windows 10 manages to do this by sending any ‘home searches’, ‘live tile’ searches as well as Internet inquiries via an unencrypted http data channel ‘threshold.appcache’.

This is worrying as customers are not asked to consent to this. They aren’t even able to turn this feature off. There is also the issue of the unencrypted channel that leaves customers open to malicious actors.

CNIL and Microsoft

Since the French Data Protection Authority (CNIL) became aware of this seven online observations were carried out in April and June 2016. They have since questioned Microsoft Corporation on this.

Microsoft interestingly said nothing to defend or deny the excessive data collection of Windows 10. They responded saying they were happy to comply with the CNIL and

“understand the agency’s concerns fully and to work toward solutions that it will find acceptable.”

Microsoft also address the reason behind the data being send back to the company’s US servers. They stated it was under the previously applicable ‘Safe Harbour Agreement’. Knowing now these regulations are no longer required they have said they will work towards the new requirements of the ‘Privacy Shield’

Despite these statements, the Chair of the Commission Nationale de l’Informatique et des Libertés (CNIL) issued a formal notice to Microsoft on Wednesday. They requested Microsoft stop collecting excessive personal data without users consent and comply with the French Data Protection Act within 3 months. If Microsoft Cooperation fails to do so the CNIL will issue a sanction.


Unsurprisingly it isn’t just the French Data Protection Act that Microsoft is in breach of. This activity is also conflicting with other countries policies as well as the EU’s General Data Protection Regulations (GDPR). Once these come into force in 2018 the regulating authority will be able to fine companies 4% of their annual turnover. With the countdown to GDPR at just 437 working days this is going to become a bigger issue for not just Microsoft but any corporation using personal data.