Following its first letter sent to Microsoft in January 2017, the WP 29 (group of European data protection authorities) issued a second letter on February 15 in which it raises concerns as to the validity of user’s consent and the proportionality of data used for each Window 10 data processing purpose.
The WP29 initial concerns
In its first letter to Microsoft, the WP29 raised concerns about the Microsoft’s collection and use of Window 10 user’s personal data. These concerns were about:
- the default installation setting
- apparent lack of control for a user to prevent collection or further processing of data
- scope of data collected.
Following this first letter, Microsoft proposed improvements of the installation process to offer users more control over their personal data.
However the WP29 did not seem to be fully satisfied by these new improvements as it raised new concerns with regard to the consent and the proportionality of data used in a second letter sent in February.
In the WP 29 opinion and despite the proposed improvements, Microsoft does not obtain users’ fully informed consent
For the WP29, the five options proposed in the installation screen to limit or switch off certain kinds of data processing is not sufficient as it is not clear as to what data is being collected or processed under each functionality that can be switched off or limited.
Moreover, for the WP29, Microsoft should clearly explain what kinds of personal data are processed for what purposes otherwise the consent cannot be considered as sufficiently informed and therefore cannot be valid.
WP29 has therefore additional concerns as to proportionality of data collected for different purposes
This lack of information also raised WP29 concerns as to the proportionality of the personal data being processed by Windows 10 for different purposes.
What does the GDPR or the Directive 95/46/EC say about informed consent?
The position of the WP29 is interesting as it gives guidance as to the level of information it expects for consent to be valid.
Under the GDPR and the current directive the consent must at least be specific, informed and freely given – and unambiguous under the GDPR- to be considered valid.
The Directive recitals provides no information as to what an informed consent should be but the recitals 32 of the GDPR provides that “for consent to be informed, the data subject should be aware at least of the identity of the controller and the purposes of the processing for which the personal data are intended”.
The recital does not state expressly that for consent to be valid, it is necessary to mention specifically what data is used for each specific purpose of data processing subject to consent. Under certain circumstances, providing only the identity of the controller and the purposes of data processing might not be sufficient especially if the lack of information is misleading. However, we could think that as long as it is not specified in the notice and as long as it is not misleading, one’s should expect that any personal data provided might be used for the processing subject to consent and if the data subject does not agree, it should refuse his/her data to be processed for these specific purposes.
However, it seems the WP29 has other expectations and requires more details for consent to be properly informed. Therefore it might be necessary to inform users of what data is used for each data processing purpose subject to consent.
This requirement not being expressly provided for in the GDPR or the directive, it will be interesting to see what the final position will be as it may change the way a privacy policy will have to be drafted.