Microsoft found to be in breach of Dutch data protection law
Data processing via the Windows 10 operating system
19 January 2018
The Dutch Data Protection Authority (DP Authority) launched an investigation into Microsoft’s data processing made via its Windows 10 operating system. The DP Authority published its report on 13 October 2017, which found that Microsoft breaches the Dutch Data Protection Act (DDPA) when processing the telemetry data of Windows 10 users. The report’s conclusion signifies the importance of default settings in the context of software updates and user consent requirements for cross-border data collection.
Over four million active devices use Microsoft’s Windows 10 Home and Pro in the Netherlands. When users run the operating system, Microsoft continuously collects technical performance and user data from these devices. These data are called ‘telemetry data’ and include data about e.g. the type of device, the installed hardware and software on the device (including apps), data about connected devices such as printers, how often apps are used and how well the software performs on the device. With telemetry, Microsoft - as it were - takes pictures of the behaviour of Windows 10 users, and continuously sends these pictures to itself. The Vice-Chairman of the DP Authority commented that Microsoft’s operating system follows just almost every step that individuals take at their computer, which results in an intrusive profile of the individual. He believes that Microsoft needs to give users a fair opportunity to consider this themselves.
Users can switch the level of telemetry in Windows 10. As of April 2017 (since the launch of the Creators Update), Microsoft offers two levels: basic and full. Microsoft now processes limited data about device usage at the basic level. However, at the full telemetry level, Microsoft collects detailed information about app usage, web surfing behaviour via Edge (Microsoft’s internet browser), as well as (parts of) the content of handwritten documents via an inkpad.
When installing Windows 10, the level of telemetry is by default set to ‘full’ and the user is asked to accept these (and other) default settings. The default settings also allow Microsoft to show personalised advertisements and recommendations in Windows 10 and in Edge, including for all apps for sale in the Windows store.
Microsoft collects these telemetry data at the basic level for different purposes, namely (1) to correct failures in its systems and apps, (2) to improve its products and services, and (3) to keep its systems up to date and secure. In addition, at the full level Microsoft collects information to (4) display personalised advertisements for Microsoft products (including the apps which Microsoft offers through the Windows store) and (5) to use the advertisement ID (Reclame ID in Dutch) to display advertisements in the apps of third parties.
The DP Authority is of the opinion that certain data collected through the default setting of full telemetry about the app usage of users by Microsoft qualifies as sensitive data. This relates for example to how often someone reads a newspaper from a foreign country, an app that indicates Islamic prayer times or a magazine targeted at gay people. These data can be used to influence the behaviour of that person or the treatment of that person. Microsoft also uses these data accordingly by showing users personalised recommendations and advertisements. Some of these data can even be regarded as sensitive data, for example data about someone’s religion or sexual life, and use thereof requires explicit consent from the user.
Legal basis for accessing information on a device
Article 11.7a of the Dutch Telecommunications Act, which implements Article 5 Subsection 3 of the ePrivacy Directive, requires Microsoft to obtain the prior informed consent of the user before placing or reading information on his/her computers and devices. Microsoft structurally collects data from Windows 10 devices as the installation of Windows 10 on a device includes the telemetry functionality. The telemetry client ensures that information is stored on these devices and that subsequently, messages containing the data are sent regularly via the internet to Microsoft’s telemetry servers. For this method of saving information and arranging access to the data, informed consent as set out in Article 11.7a of the Dutch Telecommunications Act is required. The DP Authority ruled that Microsoft did not obtain this consent, as Microsoft did not provide clear and complete information, at least about the purposes of the processing.
After the Creators Update in April 2017, Microsoft did improve some of the information it provided on the purposes for data processing. Microsoft now informs users on the installation screen about the purposes for which they obtain the telemetry data after which a user should click on the ‘accept’ button. However, users are only informed in general about the types of data Microsoft processes via full telemetry. Consequentially, it could be argued that the purposes are still worded too generally and the processing of personal data is still not transparent enough. Microsoft may therefore not be able to rely on consent under the Dutch Telecommunications Act to store and access information on devices.
Legal basis for processing
An organisation may only process personal data if it has a legal ground to do so in accordance with Article 8 of the DDPA. Microsoft relied on the following legal grounds when collecting and using telemetry data: (i) consent; (ii) the necessity for its legitimate interest; and in some cases, (iii) the necessity for the performance of a contract.
In order for consent to be valid, it must be specific, informed, unambiguous and free. Microsoft’s information does not make clear that at the full telemetry level, Microsoft continuously collects data about app usage and web surfing behaviour. This is a violation of the ‘specific’ requirement which means that it should be clear what processing will take place of which data and for which purpose. Microsoft is of the opinion that all purposes are interconnected and that it may therefore collect the data for each of them. Furthermore, the DP Authority considers that users do not have sufficient insight into the fact that - and to what extent - Microsoft uses full telemetry to collect data comprehensively. This data entails the use of all installed apps, including apps that collect data of a sensitive nature. On top of that Microsoft collects - in some cases - contentbased data from apps, such as entered locations or news articles read. Because the wording is not sufficiently specific, the scope of the data processing is not sufficiently clear to users. In the absence of such information, Microsoft does not obtain informed and specific consent.
Furthermore, for consent to be validly obtained, it must be given unambiguously. The consent is being obtained by the default settings. In order to obtain unambiguous consent, there cannot be any doubt as to whether a user has consented to the processing of their data. The fact that a user has not opted out from the default settings (whereby the telemetry level is set to full), does not mean that they thereby give consent for the use of their telemetry data to show personalised advertisements, recommendations or apps. In addition, the DP Authority established that Microsoft had not respected existing privacy choices when upgrading to the Creators Update. Users that downloaded the operating system themselves and that had selected the basic telemetry settings previously in an earlier Windows version were switched to full telemetry level upon installation of the Creators Update, unless they actively changed the privacy settings. On the basis of the above, the DP Authority is of the view that the consent which Microsoft obtains from individuals does not meet the legal requirements.
Other legal grounds
Microsoft is not able to justify its processing of telemetry data on the legal grounds of ‘necessary for its legitimate interest’ as stated in Article 8 Subsection f of the DDPA or ‘necessary for the performance of a contract’ as stated in Article 8 Subsection b of the DDPA. As Microsoft breaches the Dutch Telecommunications Act by not obtaining consent before placing and reading information in the device, Microsoft cannot claim a ‘legitimate’ interest as provided for in Article 8 Subsection f of the DDPA. Furthermore, Microsoft does not specify which personal (telemetry) data are being processed and for which purposes.
The data that are processed at the full telemetry settings also include sensitive personal data. For these types of data, the interest of Microsoft does not overrule the right to protection of personal life of a user (data subject). This means that the ‘necessity’ requirement is not met by Microsoft. For the basic telemetry level, Microsoft may obtain a legal ground as this processing is limited. In order to legitimately process telemetry data at the full level, the basic telemetry level should be the default setting when installing Windows 10 and users of the software should have the opportunity to give separate consent for the other purposes of data collection (i.e. improvement of Microsoft’s services and products as well as advertising).
Breach of the Dutch DP Act
Microsoft has therefore violated Articles 7 and 8 of the DDPA, as it does not have a valid legal ground to collect and use telemetry data and has not collected the data for clearly determined, explicitly described and justified purposes. Microsoft also breached Article 6 of the DDPA, which states that personal data may only be processed in accordance with the law, in a fair and careful manner, as Microsoft lacked specific purposes and transparency.
Microsoft Windows and Devices Group Privacy Officer Marisa Rogers responded to the DP Authority’s report, stating that Microsoft will work with the DP Authority to ensure it is compliant with Dutch privacy law, while also stating that it has specific concerns with the accuracy of some of the DP Authority’s findings and conclusions. Microsoft has summarised the points it disputes in an overview and said that Windows 10 users can learn about their privacy choices and controls via, among others, the ‘Learn More’ documents and privacy settings.
It remains to be seen whether Microsoft’s arguments that users can learn more about their privacy choices will remain valid, as the DP Authority takes the view that users must be ‘clearly’ informed in order for such consent to be valid. Requiring individuals to be proactive and actively search for information on their privacy settings may not meet that requirement.
As indicated, Microsoft has not obtained valid consent from its users for processing their personal data. Not opting out from the default settings does not mean that a user gives unambiguous consent. This view of the DP Authority is among other things based on research that shows that people are not likely to amend these default settings, as this requires an active decision of the user. Furthermore, this method is in breach of the principle of ‘privacy by default:’ the principle that entails that all standard settings should secure the highest level of privacy. Microsoft should thus take the relevant technical and organisational measures to ensure that it, by default, only processes those personal data which are required to maintain the specific purpose. This principle is incorporated in the upcoming General Data Protection Regulation (GDPR), which will apply as of 25 May 2018. Article 7 of the GDPR will furthermore set an even higher bar for obtaining consent from individuals for processing their personal data. Consent must then be very clear and specific, separate from other terms, granular, a positive opt-in, properly documented and easily withdrawn according to the Information Commissioner’s Office (the UK data protection authority). Microsoft will accordingly be required to make substantial changes in order to lawfully obtain consent for collecting and using telemetry data of Windows 10 users under the GDPR.
Following publication of the report, the enforcement phase has started. During this phase Microsoft has to demonstrate that it will make the necessary changes. If Microsoft is not able to demonstrate improvements during this phase, the DP Authority will consider the appropriate sanctions. Such sanctions include the possibility of imposing an order subject to a penalty. Under the current DDPA, the DP Authority can impose substantial penalties, which will only increase under the GDPR. Companies should accordingly bear in mind giving users/customers insight into and control over their data. When designing systems and/or software, data minimisation, purpose limitation and privacy by design should be taken into account.
This article was originally published on Leading Internet Case Law.
Sanne Blankestijn also contributed to this article.