Security

Windows 10 snooping: Microsoft has halved data it collects from PCs says watchdog

The French regulator CNIL announced that Windows 10 now complies with the country's data protection laws, following changes to how the OS handles user privacy.

Microsoft has scaled back the volume of data it collects from Windows 10 PCs by 'almost half', leading French authorities to drop their threat of a fine.

The French regulator CNIL today announced that Windows 10 is no longer in breach of the country's data protection laws, following changes to how the OS handles user privacy. Microsoft had previously faced the threat of a fine of up to €150,000 ($158,000) if Windows 10 wasn't brought into compliance with French data protection rules.

Since the CNIL notice was issued to Microsoft in July last year, Windows 10 has almost halved the volume of data it collects when the user picks the 'Basic' telemetry setting, according to a update issued by CNIL.

Other positive changes highlighted by CNIL include Microsoft making it clearer that devices will be tied to an ID used for advertising purposes and making it easier for users to opt-out. CNIL also said Microsoft had tightened the security of the user-chosen, four-digit PIN that allows Windows users to access Microsoft's online services, with obvious PINs being blocked and timeouts for multiple log-in attempts.

"The President of the CNIL considers the company has complied with the law "Informatique et Libertés" and thus decided to proceed with the closure of the formal notice procedure," CNIL said in a statement.

In April, to coincide with the release of the Creators Update to Windows 10, Microsoft reduced data collection by the OS, introduced a new privacy menu that made it easier to disable some telemetry and revealed more detail about the information it collects.

However, different editions of Windows 10 still offer varying levels of control over privacy. While Home and Pro users can only drop the level of data collection to "Basic" level, users of Enterprise, Education, and IoT Core editions are able to reduce collection further, to what Microsoft calls the "Security" level.

According to Microsoft, the "Security" level is the bare minimum necessary to keep Windows machines "protected with the latest security updates". At this level Windows Update will not function correctly and organizations are required to use alternate methods, such as Windows Server Update Services, to patch machines.

While Swiss data protection and privacy regulator FDPIC also dropped its enforcement action related to Windows 10 earlier this year, Microsoft has faced questions about Windows 10 telemetry from an EU data protection body. In February, the EU's Article 29 Working Party, said it "remained concerned about the level of protection of users' personal data".

At the time of publication, a spokesperson for the Article 29 Working Party had not responded to a request for comment about whether subsequent changes to Windows 10 had addressed its concerns.

privacy-1.png

The new privacy settings screen introduced by the Creators Update.

Image: Microsoft

Read more on Windows 10...

About Nick Heath

Nick Heath is chief reporter for TechRepublic. He writes about the technology that IT decision makers need to know about, and the latest happenings in the European tech scene.

Editor's Picks

Free Newsletters, In your Inbox