Microsoft’s Windows 10 operating system violates Dutch law, according to an analysis and report conducted by the Dutch Data Protection Agency (DPA). According to the agency experts, the End User License Agreement doesn’t clearly state facts about the data Microsoft collects from consumers. With this kind of lacking transparency, users are prevented from giving informed consent, and as such, the software is in violation of the law.
The company must be clear about what data is collected and how it’s processed. But it also doesn’t respect previously chosen settings about data collection, resetting the parameters with each new update without informing the consumer, and without consent from the user.
The lack of clear information about what Microsoft does with the data that Windows 10 collects prevents consumers from giving their informed consent, says the Dutch Data Protection Authority (DPA). As such, the regulator says that the operating system is breaking the law.
In the Creators Update, Microsoft used clearer wording about the data collection. It’s still not explicit about what was collected and why but it does force everyone to re-set their privacy settings. In some situations, though, that page defaulted to the standard Windows options rather than defaulting to the settings previously chosen.
Microsoft also explicitly enumerated all the data collected in Windows 10’s “Basic” telemetry setting. However, the company has not done so for the “Full” option, and the Full option remains the default, and this difference isn’t even mentioned anywhere.
The company says that it will work with the DPA to “find appropriate solutions” and work according to the law. However, in their detailed response to the DPA’s analysis (this is the issue not intended for journalists, differing from their official website statements), Microsoft disagrees with some of the DPA’s objections.
Specifically, the company claims that its disclosure surrounding the Full telemetry setting—both in terms of what it collects and why—is sufficient and that users are capable of making informed decisions.
The DPA’s complaint doesn’t call for Microsoft to offer a complete opt out of the telemetry and data collection, instead focusing on ensuring that Windows 10 users know what the operating system and Microsoft are doing with their data. The regulator says that Microsoft wants to “end all violations,” but if the software company fails to do so, it faces sanctions.