Een aantal van de problemen met de privacy kan worden opgelost door de gebruikers zelf, als die bereid zijn diep in de settings van Windows 10 te duiken. Maar de Franse commissie stelt dat betere privacy een standaard instelling zou moeten zijn, niet iets waar gebruikers moeite voor zouden moeten doen.
CNIL heeft Microsoft op 30 juni dan ook een officiële waarschuwing gegeven, waarmee het de softwarereus drie maanden de tijd geeft om te gaan voldoen aan de wet. Maar die waarschuwing is nu pas openbaar gemaakt.
The commission conducted seven tests of the data sent back to Microsoft by Windows 10 in April and June of this year. Among Microsoft's faux pas was the collection of data about all the apps downloaded and installed on a system, and the time spent on each one, a process CNIL said was both excessive and unnecessary.
Microsoft also failed to protect user data sufficiently, it said, by allowing users to secure their Microsoft accounts containing their purchase history and their means of payment with a PIN consisting of just four digits, and by allowing unlimited attempts to unlock the account.
If Microsoft doesn't comply with CNIL's demands by Sept. 30, then it could face a fine of up to €1.5 million (US$1.66 million) for the poor PIN security, and lesser fines for the other measures, the commission said in its formal notice to the company.
The company also tracked its customers without permission, setting and activating an advertising ID when Windows 10 was installed that allowed apps to target advertising to users. It also put advertising cookies on the computers without giving users a chance to opt out first, CNIL said.
Furthermore, despite Windows 10's system of continuous updates, the company has not taken account of a significant legal change in the European Union since the launch of the operating system.
On Oct. 6, the Court of Justice of the European Union invalidated the Safe Harbor Agreement for the transfer of personal data. That made it illegal to use its provisions to justify the export of Europeans' personal data to the U.S., yet Microsoft continued to do so, CNIL said.
The French data protection authority is not the only one in Europe that has been studying Windows 10's treatment of personal data; others are continuing their investigations.
CNIL does not always make public the cease-and-desist notices it issues - companies have a right to privacy, too -- but decided to in this case because of the seriousness of the breaches and because they affected so many Windows users, more than 10 million of them in France.
Microsoft representatives did not immediately respond to a request for comment.