European regulators to Microsoft: We’re watching you

Microsoft has built itself into the company with the world’s highest valuation, while managing to avoid (for the past several years, anyway) the attention of the U.S. Justice Department, federal regulators and Congress. Its peers, meanwhile, including Facebook, Amazon, Google and Apple, have found themselves embroiled in time-consuming and energy-sapping investigations.

But for Microsoft, those days of freedom may be coming to an end. Windows 10 and Office have fallen afoul of the European’s GDPR privacy regulations, and the consequences may be serious, and even spur investigations in the United States.

The biggest danger to Microsoft is the way in which Windows gathers and uses data. Even before the GDPR regulations, which went into effect in late May 2018, some European countries had their doubts about Windows and privacy.

In 2017, the Netherlands’ Data Protection Agency (DPA) concluded that the way in which Windows 10 gathers telemetry data from its users violated that country’s data protection laws. The agency didn’t fine Microsoft but did require that Microsoft change the way it gathers and uses the data. Those changes were incorporated into the Windows 10 April 2018 update. Among them were a tool Microsoft released, with great hoopla, called the Diagnostic Data Viewer. Microsoft said in a blog post that the tool is part of the company’s commitment to be “fully transparent on the diagnostic data collected from your Windows devices, how it is used, and to provide you with increased control over that data.”

Transparent it isn’t. The tool is so complex and arcane that even many programmers can’t understand or use it. Rather than providing a simple way to let you know what information Windows gathers about you, it forces you to scroll or search through incomprehensible headings such as “TelClientSynthetic.PdcNetworkActivation_4” and “Microsoft.Windows.App.Browser.IEFrameProcessAttached” with no explanation of what they mean. Click a heading and you get a listing of spaghetti code you can’t possibly understand. Looking at it, it’s hard to imagine how anyone could talk about the Diagnostic Data Viewer and transparency in the same breath.

The Dutch DPA has taken a long time examining that and other changes Microsoft made, to see whether Windows now complies with the agency’s regulations, as well as with the newer GDPR rules. The DPA concluded that the changes complied with what the DPA originally asked Microsoft to do. But its examination “also brought to light that Microsoft is remotely collecting other data from users. As a result, Microsoft is still potentially in breach of privacy rules,” according to the agency. So the DPA turned over the case to the Irish Data Protection Committee (DPC), because Microsoft’s European operations are headquartered in Ireland. That agency will determine whether Microsoft is violating the GDPR.

Copyright © 2019 IDG Communications, Inc.


Leave a Reply

Your email address will not be published.