What you need to know

  • The Dutch Data Protection Agency requested that the Irish Data Protection Commission looks into how Windows 10 gathers data.
  • The Irish Data Protection Commission confirmed that they are "liaising with the Dutch DPA to further this matter."
  • It was concluded in 2017 by the Dutch DPA that Windows 10 breached privacy laws.

The Dutch Data Protection Agency (DPA) has requested that the Irish Data Protection Commission (DPC) look into privacy concerns regarding how Windows 10 collects user data. The DPC is the lead EU privacy regulator for Microsoft because Microsoft's regional headquarters are in Ireland. The DPC confirmed that they are "liaising with the Dutch DPA to further this matter" to TechCrunch.

In 2017, the Dutch DPA determined that Windows 10 was in violation of local privacy laws. Following this, Microsoft made several changes to how Windows 10 asks users about data collection. Testing these changes that took effect in April is what led the Dutch DPA to have new concerns. The agency discovered what it calls "new, potentially unlawful, instances of personal data processing" in a press release.

Because Microsoft's headquarters are in Ireland, which requires GDPR compliance, the lead privacy regulator that covers Microsoft is the Irish DPC. A spokesperson from the Irish DPC told TechCrunch that the DPC is looking into the concern.

Since then the DPC has been liaising with the Dutch DPA to further this matter... The DPC has had preliminary engagement with Microsoft and, with the assistance of the Dutch authority, we will shortly be engaging further with Microsoft to seek substantive responses on the concerns raised.

A Microsoft spokesperson released a statement to TechCrunch as well.

The Dutch data protection authority has in the past brought data protection concerns to our attention, which related to the consumer versions of Windows 10, Windows 10 Home and Pro. We will work with the Irish Data Protection Commission to learn about any further questions or concerns it may have, and to address any further questions and concerns as quickly as possible.

Microsoft is committed to protecting our customers' privacy and putting them in control of their information. Over recent years, in close coordination with the Dutch data protection authority, we have introduced a number of new privacy features to provide clear privacy choices and easy-to-use tools for our individual and small business users of Windows 10. We welcome the opportunity to improve even more the tools and choices we offer to these end users.

One of the concerns raised by the Dutch DPA is if it's necessary for Microsoft to collect non-diagnostic data.

Microsoft is permitted to process personal data if consent has been given in the correct way... We've found that Microsoft [collects] diagnostic and non-diagnostic data. We'd like to know if it is necessary to collect the non-diagnostic data and if users are well informed about this.

Does Microsoft collect more data than they need to (think about dataminimalization as a base principle of the GDPR). Those questions can only be answered after further examination.

Potential penalties for violating GDPR can be up to 4 percent of a company's annual global turnover. Though, it will likely be an extended period of time before the DPC makes any official decisions.