Georgetown Law
Technology Review

On October 13, 2017, the Dutch Data Protection Authority (DPA) released a report concluding that Microsoft’s Windows 10 operating system breaches local privacy law.1Natasha Lomas, Microsoft’s Windows 10 Breaches Privacy Laws, Says Dutch DPA, TECHCRUNCH (Oct. 13, 2017), https://techcrunch.com/2017/10/13/microsofts-windows-10-breaches-privacy-law-says-dutch-dpa/. The report bases its conclusion on the operating system’s processing of personal information in relation to telemetry data—diagnostic system information used to fix errors and improve products.2Id. According to the report, Holland’s four million active Windows 10 users were not being clearly informed of how Microsoft was using their personal information.3Microsoft Windows 10 Breaches Dutch Privacy Law, BBC NEWS: TECH. (Oct. 16, 2017), http://www.bbc.com/news/technology-41634617. This is not the first time Windows 10 has been scrutinized for its user privacy protection. Officials from France,4Lisa Vaas, Microsoft Given 3 Months to Fix Windows 10 Security and Privacy, NAKED SEC. (July 21, 2016), https://nakedsecurity.sophos.com/2016/07/21/microsoft-given-3-months-to-fix-windows-10-security-and-privacy/. Germany,5Iain Thomson, Germans Force Microsoft to Scrap Future Pushy Windows 10 Upgrades, REGISTER (Aug. 23, 2017, 9:35 PM), https://www.theregister.co.uk/2017/08/23/microsoft_windows_10_updates_germany/. and Switzerland6Shaun Nichols, New Windows 10 Privacy Controls; Just a Little Snooping—or the Max, REGISTER (Jan. 11, 2017, 8:02 AM), https://www.theregister.co.uk/2017/01/11/microsofts_new_windows_telemetry_manager/. have all previously expressed concern with how the operating system ensures users remain in control of their private data.

The report primarily claims Windows 10 violates the Dutch Personal Data Protection Act (Wbp).7AUTORITEIT PERSOONSGEGEVENS (Dutch DPA), SUMMARY OF INVESTIGATION TELEMETRY MICROSOFT WINDOWS 10 HOME AND PRO – PUBLIC VERSION 1 (Oct. 6, 2017), https://www.autoriteitpersoonsgegevens.nl/sites/default/files/atoms/files/public_version_dutch_dpa_informal_translation_summary_of_investigation_report.pdf. According to section eight of the Wbp, a company may only use personal data under limited circumstances.8Wet bescherming persoonsgegevens [Personal Data Protection Act] 6 juli 2000, Stb. 2000, 302 (Neth.). Possible circumstances include: processing personal information with the user’s consent; processing personal information as part of a contract with the user; or processing personal information to further a “legitimate interest” as long as that interest is not outweighed by a greater, more fundamental privacy interest of a user.9Id. The report also refers to violations of the Dutch Telecommunications Act, which requires user consent for the storing or reading of information from a user’s device.10AUTORITEIT PERSOONSGEGEVENS (Dutch DPA), supra note 7.

According to the report, Windows 10 violates Dutch privacy law through its default telemetry data settings.11Id. at 3. The report describes Windows 10 as offering users two levels of telemetry data sharing: basic and full.12Until April 2017, the Anniversary Update version of Windows 10 allowed three telemetry levels: basic, enhanced and full. This version also has a default level to “full.” Id. at 1. When a user installs the operating system, the default telemetry level is set to full.13Id. This default full setting allows Windows 10 to collect user information on what apps a user is using and their web browser histories.14AUTORITEIT PERSOONSGEGEVENS (Dutch DPA), supra note 7. Additionally, the report alleges Windows 10’s default settings allow telemetry data to be used to “show personalized advertisements and recommendations” to a user.15Id. at 2. These default settings essentially allow Windows 10 to collect a user’s online behavior and use that information to show the user advertisements based on that information. Because the settings are in place as default, a user cannot provide “specific, informed, unambiguous, and free”16Id. at 3. consent to use personal information “to treat a person in a certain way or influence the behavior of that person.”17Id. at 2. Likewise, Microsoft cannot claim a “legitimate interest” to process user telemetry data for advertising because a user’s browser and app history is highly sensitive in nature.18Id. The report determines that the default setting then violates the law.19AUTORITEIT PERSOONSGEGEVENS (Dutch DPA), supra note 7.

On the same day of the report’s release, Microsoft responded to the Dutch DPA’s allegations in a blog post.20Marisa Rogers, Microsoft’s Response to Privacy Concerns in the Netherlands, MICROSOFT PULSE (Oct. 13, 2017), https://pulse.microsoft.com/nl/nl/security-privacy/na/microsofts-response-privacy-concerns-netherlands/. In the post, Microsoft assured its customers that Windows 10 is “clearly compliant under Dutch law.”21Id. The post linked to a list of critiques of the report’s claims, but asserted that Microsoft was willing to “cooperate with the [Dutch] DPA to find appropriate solutions.”22Id.

For example, Microsoft states that Windows 10 clearly informs users of company’s data practices because “users can learn about the data [Microsoft] collect[s] and how it is used in a variety of ways.”23MICROSOFT, DUTCH DPA WINDOWS 10 HOME/PRO INVESTIGATION: MICROSOFT FACT SHEET (Oct. 13, 2017), https://ncmedia.azureedge.net/ncmedia/2017/10/Dutch-DPA-Windows-10-Home_Pro_Investigation_Mi.pdf. The critique also notes that “[u]sers can change their privacy settings at any time.”24Id.

The Dutch DPA has yet to respond to Microsoft’s challenge to the report, but any response is likely to be negative, as the conflict has a deeper foundation. Microsoft’s main contention is that users should actively “learn” about their “privacy choices and control” to add more privacy protection.25Id. The DPA’s clear position, however, is that the default setting should be more protective.26 AUTORITEIT PERSOONSGEGEVENS (Dutch DPA), supra note 7. In any event, while Microsoft has expressed a willingness to “end all violations,” Dutch authorities have made clear that sanctions could be imposed if the company fails to do so.27Peter Bright, Dutch Privacy Regulator Says Windows 10 Breaks the Law, ARSTECHNICA (Oct. 13, 2017), https://arstechnica.com/gadgets/2017/10/dutch-privacy-regulator-says-that-windows-10-breaks-the-law/.