The French National Data Protection Commission (CNIL) gave a formal notice to Microsoft regarding Windows 10 security and privacy concerns.
In a firm notice, Microsoft Corporation was told to "stop collecting excessive data and tracking browsing by users without their consent."
Microsoft needs to comply within 3 months.
CNIL's main concern is that Microsoft is making mass surveillance easy for the government.
Windows 10 under CNIL scanner since its launch
France's data privacy agency CNIL had started investigating Windows 10 soon after the operating system was launched in July 2015 at the behest of "media reports and letters from several French political parties".
CNIL's reprimands to Google and Facebook
In 2015, the CNIL issued similar warnings against US tech companies against excessive browser tracking.
Google was ordered to extend Europe's "right to be forgotten" rule to cover all Google sites.
Earlier this year, it directed Facebook to end tracking the web browsing of non-users, according the company 3 months to comply with its orders.
Points of worry for the CNIL
The CNIL found that Microsoft was monitoring apps being downloaded and the time spent on each one.
Further, Microsoft used cookies to push personalized ads without accurately notifying users or enabling them to opt out.
Moreover, the 4-character PIN system employed to reach Microsoft services was insecure, because there was no upper-limit on the number of attempts.
23 Jul 2016
What Microsoft had to say
Microsoft vice-president David Heiner told the media that Microsoft "will work closely with the CNIL over the next few months to understand the agency's concerns fully and to work toward solutions that it will find acceptable."
He also said that Microsoft was looking to sign a new EU-U.S. Privacy Shield, a more stringent framework that would replace "safe harbour" agreement.
Safe harbour agreement
The safe harbour agreement was made between the "EC and the US government essentially promised to protect EU citizens' data if transferred by American companies to the US." It is no longer considered valid by Europe.