In a letter, the Article 29 Working Group said it still has "significant concerns" about how Microsoft collects and processes users' personal data, and whether it obtains fully informed consent from users to do so.
"There is an apparent lack of control for users to prevent collection or further processing of such data. As a result, the Working Party specifically requests further explanatory information from Microsoft, as to how the opt-outs, default settings and other available control mechanisms presented during the installation of Windows 10 operating system provide a valid legal basis for the processing of personal data under the Data Protection Directive 95/46/EC. This is especially of concern where Microsoft would rely on consent as a legal basis for the processing of personal data," the statement said.
Windows 10 launched in July 2015, and almost immediately garnered criticism for the use of default settings to harvest voluminous amounts of user data, such as web browsing history, WIFI network names and passwords, in order to display personalized adverts as users browse the web or play games. User data is also fed in to train Microsoft's Cortana digital assistant.
In response, the Article 29 Working Party instigated an investigation, as did several national data protection authorities, including France's CNIL. Their independent conclusions were much the same; the company must stop excessive data collection.
Among the breaches CNIL accused Microsoft of were failing to obtain notice for data transfers, breaking cookie law requirements, having inadequate security protections for personal data, failure to file an authorization request for processing personal data for fraud prevention purposes, and breach of cross-border data transfer restrictions.
France orders Microsoft to stop collecting excessive user data and tracking browsing of Windows 10 users. Yay democracy.-_-— ProjLegalRenaissance (@projectlegalR) July 24, 2016
CNIL set a deadline of January 31 for Microsoft to comply with their recommendations, although the Working Group's warning suggests the tech giant is yet to fulfil their obligations, meaning it can be fined. In all, Microsoft could face fines of up to US$3.2 million for breaches of domestic privacy laws.
The EU General Data Protection Regulation, due to come into force May 2018, increases the potential penalties for companies breaching EU data protection law, with fines of up to four percent of annual turnover for enterprises found to be non-compliant.
In a statement, European Digital Rights said Microsoft "grants itself very broad rights to collect everything you do, say and write" on Windows 10-equipped devices in order to sell more targeted advertising or to sell your data to third parties.