According to the Dutch Data Protection Authority (DPA), Microsoft breaches the Dutch data protection law by violating the privacy of Windows 10 users. The authority has concluded that Microsoft fails to inform its users about the type and purpose of the data it retrieves.
Apparently, Microsoft has not revealed the fact that personal data regarding web surfing information is continuously being collected from Edge users, when the default settings are in place. The same applies to app usage; information like the identity of installed apps, how often apps are used, and more, is constantly being collected. In doing so, the tech giant is remotely monitoring user data, which is called "Telemetry" data.
Vice-chairman of the Dutch DPA, Wilbert Tomesen, feels that that Microsoft needs to provide users the opportunity to decide what form of their data is being used for what purpose. To that effect, he noted:
"It turns out that Microsoft’s operating system follows about every step you take on your computer. That results in an intrusive profile of yourself. What does that mean? Do people know about this, do they want this? Microsoft needs to give users a fair opportunity to decide about this themselves."
Personalized ads and recommendations in certain apps are being shown by Microsoft, by using the telemetry data. If a person does not change the default settings during installation of these apps, it means that he or she has not given full consent for the use of his or her personal data. Additionally, The Dutch DPA noted that Microsoft did not respect existing privacy choices of some of Windows 10 users when they upgraded to the Creators Update.
To summarize, there are three key areas where the Dutch DPA feels Microsoft is lacking at the moment. The purpose of the data being retrieved from Windows 10 users, unpredictable processing of said data, and informed consent from its users. If the tech giant fails to end all violations of the Dutch data protection law, the authority could impose a sanction on it.