The French regulatory body Commission Nationale de l’Informatique et des Libertés (CNIL) announced this week that it is dropping its complaint against Windows 10 because of changes Microsoft has made to its data collection policies.
CNIL first complained about the privacy implications of Windows 10 data collection in mid-2016, about one year into the operating system’s lifetime. At that time, it demanded that Microsoft alter Windows 10 to come into compliance with French data protection laws, and it threatened to fine the firm for ongoing violations.
After finally explaining that Windows 10 wasn’t actually violating anyone’s privacy, Microsoft did work to correct these overblown issues in the Creators Update. And in doing so, it delivered a win to privacy advocates.
Also, it worked on the regulators.
“The President of the CNIL considers that the company has complied with the law and thus decided to proceed with the closure of the formal notice procedure,” a CNIL statement reads. “Microsoft has taken steps to comply with the injunctions of the formal notice.”
The CNIL was apparently swayed by what I call the “privacy theater” changes that Microsoft made in Windows 10 Setup, where it forces users to make several choices related to data collection. If the user turns off all those switches, Windows 10 moves into a “base” data collection mode that apparently satisfies French demands for privacy.
According to the CNIL, Microsoft has reduced the volume of data collected under the “base” level of its telemetry service in Windows 10 by nearly half. Now, it only collects data that is “strictly necessary to maintain the system and applications in good working order and to ensure their safety.” It’s unclear what Microsoft was collecting previously.
Likewise, the CNIL likes the “clear and precise” messaging about privacy that Windows 10 delivers to users. They cannot finish setting up Windows 10 without making privacy choices, and they can change those choices at any time. (This is, in fact, no different from the original versions of Windows 10, but whatever.)
Finally, the CNIL cited improvements to Windows 10 security, which is rather bizarre, as I’m not aware of any changes there that are relevant to privacy. (It looks like they’re referring to changes to Microsoft’s two-step authentication functionality, which isn’t strictly a Windows 10 feature.)