Microsoft has asked for more time to make Windows 10’s data collection comply with French data protection law.

In the summer, the chair of France’s National Data Protection Commission (CNIL) claimed that Microsoft’s flagship OS violated the French data protection act and highlighted the “seriousness of the breaches“.

Microsoft was given three months to change how Windows 10 collects data about users in order to comply with the act. Now Microsoft has asked the CNIL for more time to respond to the authority’s formal notice and has been given an extension until January next year. If Windows 10 still doesn’t comply after this point the company could be fined up to €150,000.

Windows 10 breaches user privacy in several areas, according to CNIL, which says the data the OS collects about users is “excessive”.

For example, Windows 10 transmits user data back to Microsoft by default, with users of Home and Pro versions only able to reduce data collection to the “Basic” level. However, users of Enterprise, Education, and IoT core editions are able to reduce the data collection further, to what Microsoft calls the “Security” level.

SEE: Windows 10 violates your privacy by default, here’s how you can protect yourself

Given Microsoft says that the data collected at the “Security” level is the bare minimum necessary to keep Windows machines “protected with the latest security updates”, the collection of any data above and beyond this is not needed, the CNIL said in its formal notice.

Windows 10 also breaches the act in how it associates an advertising ID with each user, the watchdog said. This unique identifier allows a profile to be built of which apps are used and how.

Another issue highlighted by CNIL, is that Windows 10 downloads advertising cookies to users’ machines without informing them or seeking permission.

The authority also takes issue with how Microsoft handles Windows 10 user data, questioning why, at the time of its investigation, data was being transferred out of the EU under the terms of Safe Harbor, the data-sharing agreement declared “invalid” by the European Court of Justice in October last year.

Beyond Windows 10’s data privacy failings, the CNIL also criticized the OS for allowing Windows users to log in using a four-figure PIN, as well as what it considers to be unsatisfactory protections against guessing this number.

Speaking at the time CNIL issued its formal notice, Microsoft VP and deputy general counsel David Heiner committed the company to working with the authority and stressed the strength of privacy protections built into Windows 10.

Microsoft was not available to comment on its request for an extension.

The CNIL is not the only body to criticize Windows 10’s approach to data collection, with the civil liberties group the Electronic Frontier Foundation saying Microsoft makes users “choose between having privacy and security”.

Despite arguments by some that the amount of data collected by the OS has been overstated, the issue worries some users, although there are certain steps that can mitigate privacy fears.

Read more on Windows 10 and privacy