ARTICLE 29 Data Protection Working Party

Brussels, 15 February 2017
Mr Brendon Lynch
Chief Privacy Officer of Microsoft
Mr Satya Nadella
Chief Executive Officer of Microsoft
Microsoft Privacy
Microsoft Corporation
One Microsoft Way, Redmond
Washington 98052, USA
By e-mail:
brendonl@microsoft.com
satyan@microsoft.com

Dear Mr Lynch and Mr Nadella,

Following the launch of Windows 10, a new version of the Windows operating system, a
number of concerns have been raised, in the media and in signals from concerned citizens to
the data protection authorities, regarding protection of your users’ personal data. The Article
29 Working Party has highlighted these issues in its previous letter from January 2016.1 In its
letter the Working Party expressed significant concerns about the default installation settings
and an apparent lack of control for a user to prevent collection or further processing of data,
as well as concerns about the scope of data that are being collected and further processed. As
stated before, these issues are essential with regard to the legal basis Microsoft is relying on
for the processing of personal data under the Data Protection Directive 95/46/EC, especially
in case of user consent. In light of these concerns a number of EU national data protection
authorities have initiated detailed inquiries into the matter, namely the DPAs of Bavaria
(Germany), France, Netherlands, Hungary, Slovenia, Spain and UK. Collaboration is
coordinated by the DPA of Bavaria (Germany).
The Working Party appreciates the willingness Microsoft has shown to cooperate with the
data protection authorities and the recently announced future improvement of the installation
process, to offer users more control over the way it is collecting and processing their data.2

1

http://ec.europa.eu/newsroom/document.cfm?doc_id=42572
Microsoft blogpost, New Windows 10 experiences reinforce commitment to your privacy, 10 January 2017,
URL: http://blogs.microsoft.com/firehose/2017/01/10/new-windows-10-experiences-reinforce-commitment-toyour-privacy/
2

This Working Party was set up under Article 29 of Directive 95/46/EC. It is an independent European advisory body on data
protection and privacy. Its tasks are described in Article 30 of Directive 95/46/EC and Article 15 of Directive 2002/58/EC.
The secretariat is provided by Directorate C (Fundamental rights and rule of law) of the European Commission, Directorate
General Justice and Consumers, B-1049 Brussels, Belgium, Office No MO59 02/27
Website: http://ec.europa.eu/justice/data-protection/index_en.htm

 The Working Party would like to recall that user consent can only be valid if fully informed,
freely given and specific. Whilst it is clear that the proposed new express installation screen
will present users with five options to limit or switch off certain kinds of data processing it is
not clear to what extent both new and existing users will be informed about the specific data
that are being collected and processed under each of the functionalities. The proposed new
explanation when, for example, a user switches the level of telemetry data from 'full' to 'basic'
that Microsoft will collect 'less data' is insufficient without further explanation. Such
information currently is also not available in the current version of the privacy policy.
Additionally, the purposes for which Microsoft collects personal data have to be specified,
explicit and legitimate, and the data may not be further processed in a way incompatible with
those purposes. Microsoft processes data collected through Windows 10 for different
purposes, including personalised advertising. Microsoft should clearly explain what kinds of
personal data are processed for what purposes. Without such information, consent cannot be
informed, and therefore, not valid.
As the scope of the personal data necessary for the functionalities of the operating system has
not been adequately clarified, open questions remain about the proportionality of the personal
data that are being processed by Windows 10 for different purposes.
In light of the above, which are separate to the results of ongoing inquiries at a national level,
even considering the proposed changes to Windows 10, the Working Party remains concerned
about the level of protection of users’ personal data.
I trust that your full assistance and cooperation will be provided regarding the issues in
question.
Yours sincerely,
On behalf of the Article 29 Working Party,
Isabelle FALQUE-PIERROTIN
Chairwoman

2