Last summer, France's data protection commissioner, CNIL, criticized Microsoft for collecting an excessive amount of user data on Windows 10 PCs, and publicly ordered the company to "comply with the law within a period of three months."
Today, CNIL issued a public statement, saying that it is satisfied with Microsoft's efforts to address those criticisms in accordance with the country's 'computing and freedoms' laws, and has ended its "procedure of formal notice" against the company. The data protection watchdog said that Microsoft "has reduced by almost half the volume of data collected under the "basic level" of its telemetry service", and that it now limits its collection of data to the bare minimums required "to maintain the system and applications in good working order and to ensure [users'] safety."
Earlier this year, Microsoft introduced a range of privacy changes to improve the transparency of its data collection on Windows 10, and to give users greater control over the amount and types of data that they're willing to share with the company. These changes included a new online privacy dashboard, and a revised Windows 10 setup experience with clearer explanations of its data collection practices.
CNIL also highlighted other improvements that Microsoft has made to address its concerns. It said that Microsoft has:
- inserted references to information in line with article 32 of the "computing and freedom" law;
- completed applications with the CNIL for its treatments of combating fraud;
- joined the Privacy Shield to govern international transfers of personal data;
- put an end to the deposit of cookies without prior collection of the consent of users for many of its Windows 10 web sites, and is committed to do for all before September 30, 2017.
While CNIL considers the matter resolved, Microsoft's data collection activities in Windows 10 apparently remain under the scrutiny of the Article 29 Working Party, a group formed of representatives from data and privacy regulators in each of the European Union's member states. That group raised fresh concerns about Windows 10 data collection in February, saying that Microsoft "should clearly explain what kinds of personal data are processed for what purposes. Without such information, consent cannot be informed, and therefore, not valid."