France data authority criticises Windows 10 over privacy
Windows 10 gathers an "excessive" amount of personal data on users, the French data authority has said in a formal notice.
Following complaints the operating system breached France's Data Protection Act, the National Data Protection Commission (CNIL) found "many failures".
The CNIL has now given Microsoft three months to comply with the act.
A Microsoft executive said the company would "work closely" with the CNIL.
By default, Windows 10 collects various data on how it is used - this includes what apps are installed and how much time is spent within them, for example.
"[Microsoft] is collecting excessive data, as these data are not necessary for the operation of the service," said the CNIL.
The authority also criticised the fact that an advertising ID is activated by default, which allows apps to monitor user browsing and then offer targeted ads.
In the CNIL's view, this has been done "without consent".
Plus, data was being transferred outside the EU despite a Court of Justice of the European Union (CJEU) decision, in October last year, to prohibit this.
"We built strong privacy protections into Windows 10, and we welcome feedback as we continually work to enhance those protections," said David Heiner, Microsoft vice-president and deputy general counsel.
"We will work closely with the CNIL over the next few months to understand the agency's concerns fully and to work toward solutions that it will find acceptable."
Mr Heiner added that a new privacy statement would be issued by the company next month and that it planned to adopt the Privacy Shield - a recently approved US-EU pact to allow data flow across the Atlantic.
"It is high time that companies are called to account about the amount of data they collect about us without our consent," said Harmit Kambo, campaigns director at Privacy International.
"Why do they need so much data about us, and why are they not open with us about it?"
Mr Kambo added that he hoped other companies would also consider the implications of the CNIL's decision.
"CNIL's public notice to Microsoft Corporation should be a wake up call to all companies, that it's unacceptable to hoover up their customers' data without their consent," he said.