Microsoft investigated over remote data collection, says Dutch DPA

While the DPA said that the technology giant is in compliance with the agreements made following an investigation concluded at the beginning of the year, but the firm's remote collection of data from users of Windows Home and Windows Pro may violate rules.

The latter, deemed officially 'potentially unlawful', only came to light because the Dutch DPA stumbled across the information, which then spurred further examination of Microsoft's operation. "It is something we discovered, but we haven't had a closer look yet", the Dutch DPA spokesperson Pauline Gras told E&T.

The Dutch DPA advice to Microsoft users is "to pay close attention to privacy settings when installing and using Windows software. Microsoft is permitted to process personal data if consent has been given in the correct way", it said in a press release.

The press department of the DPA explained also that there is a significant difference between the 'lead DPA' and the 'concerned DPA'. The lead DPA is the DPA of the country where the European headquarters are located. For this reason, the case now referred to DPA colleagues in Ireland, would be "out of their hands" of the Dutch DPA. It would be up to their decision making whether they deem it appropriate to dig deeper and confirm concerns of allegations made towards Microsoft.

Despite being made aware of a potential breach by Microsoft, it took the Dutch regulator 'several months' to arrive at a decision to announce it, according to Gras. The main reason for the delay is that "these procedures take time", she said. "It is something we have to do very carefully".

A date for releasing a final decision on whether Microsoft did violate data protection rules is not set. It would be up to DPA in Ireland to proceed from here.  

Should it be concluded that Microsoft did breach rulings, hefty fines could be imposed.

Gras told E&T that the European General Data Protection Regulation (GDPR) gives authorities the opportunity to impose a "fine that can climb as far as 20m euros or - when that is more - a fine that is based on 4 per cent of the worldwide yearly turnover of the company in question". 

"We have all kinds of instruments to make sure that companies follow the rules, which could [include] fines in the utmost case", Gras told E&T.

Microsoft told other journalists that it welcomed the opportunity to "improve even more the tools and choices we offer to these users". Microsoft also said that it was committed to protecting the privacy of its customers, and had improved privacy features for individuals and small business users of Windows 10 in recent years.

In the previous investigation, Microsoft made some changes and the Dutch regulator was pleased with those, according to Gras.

Only two years ago, the company's approach to collecting telemetry metadata was found to be in breach of local privacy laws.

In its latest August update of Microsoft’s privacy statement, the company clarified that it would employ both automated and manual methods of processing personal data and that it added instructions on how to export Skype's chat history and files, according to the company's website.