Yesterday France’s National Data
Protection Commission (CNIL) slapped a
formal order on Microsoft to comply with
data protection laws after it found
Windows 10 was collecting “excessive
data” about users. The company has
been given three months to meet the
demands or it will face fines.
Microsoft has now responded, saying it is
happy to work with the CNIL to work
towards an acceptable solution.
Interestingly, while not denying the
allegations set against it, the company
does nothing to defend the amount of
data collected by Windows 10, and also
fails to address the privacy concerns it
Microsoft does address concerns about
the transfer of data between Europe and
the US, saying that while the Safe Harbor
agreement is no longer valid, the
company still complied with it up until the
adoption of Privacy Shield.
It’s interesting to see that Microsoft, in
response to a series of complaints very
clearly leveled at Windows 10, manages to
mention the operating system only once.
There is the promise of a statement about
privacy next week, but for now we have
Microsoft’s response to the CNIL’s order.
Here is the full text of the statement from
David Heiner, vice president and deputy
general counsel at Microsoft: “Earlier
today Microsoft received a notice from the
French data protection authority, the
Commission Nationale de l’Informatique
et des Libertés or CNIL, raising concerns
about certain aspects of Windows 10. The
notice gives Microsoft three months to
address the issues.
“We built strong privacy protections into
Windows 10, and we welcome feedback
as we continually work to enhance those
protections. We will work closely with the
CNIL over the next few months to
understand the agency’s concerns fully
and to work toward solutions that it will
find acceptable.
“The CNIL noted that the Safe Harbor
framework is no longer valid for
transferring data from European Union to
the United States. We fully understand the
importance of establishing a sound legal
framework for trans-Atlantic data
transfers, and that is why Microsoft has
been very supportive of the efforts on both
side of the Atlantic that led to last week’s
adoption of the Privacy Shield.
“As the European Commission observed,
Microsoft’s January 2016 Privacy
Statement states that the company
adheres to the principles of the Safe
Harbor Framework. Microsoft has in fact
continued to live up to all of its
commitments under the Safe Harbor
Framework, even as the European and
U.S. representatives worked toward the
new Privacy Shield. As we state in our
privacy statement, in addition to the Safe
Harbor Framework we rely on a variety of
legal mechanisms as the basis for
transferring data from Europe, including
standard contractual clauses, a data
transfer mechanism established by the
European Commission and approved by
European data protection authorities, to
cover data flows from the European Union
to the United States.
“Microsoft will release an updated privacy
statement next month, and that will say
Microsoft intends to adopt the Privacy
Shield. We are working now toward
meeting the requirements of the Privacy