Microsoft faces new GDPR privacy investigation over Windows 10 telemetry

Ireland's Data Protection Commission to investigate claims of "new, potentially unlawful" uses of personal data harvesting by Windows 10

Microsoft is facing a new European Union privacy investigation over its Windows 10 telemetry practices.

The investigation will be led by Ireland's Data Protection Commission - the location of Microsoft's European headquarters and, hence, the lead authority on Microsoft matters in the EU - on the request of the data protection authorities in the Netherlands. It claims that a number of options in the Windows 10 set-up represents "new, potentially unlawful" uses of personal data harvesting.

It comes despite some changes that Microsoft made to its Windows 10 data-collection practices in April 2018 in response to earlier warnings that Windows 10 telemetry breached EU privacy laws. Since then, of course, the General Data Protection Regulation (GDPR) has come into force and Microsoft could face fines of up to four per cent of turnover if it is found to be infringing GDPR.

The Dutch authorities note that Microsoft collects both diagnostic and non-diagnostic data. "We'd like to know if it is necessary to collect the non-diagnostic data and if users are well informed about this," asking: "Does Microsoft collect more data than they need to… Those questions can only be answered after further examination."

GDPR, it added, has "data minimalisation" - organisations shouldn't take and process any more data than is necessary to perform a function - as a basic principle.

In response to the news, Microsoft released the following statement: "We will work with the Irish Data Protection Commission to learn about any further questions or concerns it may have, and to address any further questions and concerns as quickly as possible."

It added that it was "in close coordination with the Dutch data protection authority" and had introduced a number of privacy features for both individual users and small business users of Windows 10.

The complaint follows on from an investigation by Dutch authorities, released in July this year, that warned that government staff should not use Microsoft Office due to Microsoft's telemetry practices. The state of Hesse in Germany also banned the use of Office 365 earlier this year over privacy fears.

That recommendation came after an investigation by Dutch investigators in November 2017 that concluded that Microsoft's collection of telemetry data is in breach of GDPR.

The Irish data protection authority is also investigating Microsoft's practice of cross-border data processing, an investigation instigated following the introduction of GDPR, and also attracting a potential fine of up to four per cent of global turnover.