France today said it had served formal notice on Microsoft to stop collecting what it deems excessive data and tracking browsing by users without their consent on civil liberty grounds.
France’s National Data Protection Commission (CNIL) said in a statement it had given the US computing giant three months to comply with the French Data Protection Act to ensure user data security and confidentiality.
The French indicated those investigations “revealed many failures” including collection of “irrelevant or excessive (user) data”. The CNIL also criticised Microsoft for allowing users to choose a four character PIN number to authenticate access to on-line services, but without limiting the number of attempts to enter the correct code, something the French deemed liable to hit data and personal security.
The French also decried Windows 10’s use of targeted advertising without first obtaining the consent of users and the absence of a means to block cookies.
“The company puts advertising cookies on users’ terminals without properly informing them of this in advance or enabling them to oppose this,” said the CNIL in a statement issued in French and English.
CNIL also said Microsoft was still transferring user data outside the European Union even though last October the European Court of Justice ruled on privacy grounds that the transfer of European citizens’ data to the United States under the obsolete “safe harbour” basis was no longer valid.
The French body added that should Microsoft fail to comply with the formal notice CNIL would draw up a report on Data Protection Act breaches which could result in a 150,000 euros (USD 165,000) fine.