Microsoft fires back on Safe Harbor violations

Microsoft fires back on Safe Harbor violations
© Getty

Microsoft is pushing back a key component of a French government agency’s recent accusations. 

On Wednesday, the Commission Nationale de l’Informatique et des Libertés (CNIL) ordered the software company correct a list of problems in Windows 10 it claimed threatened the privacy of French citizens. CNIL, which regulates data privacy, gave the company three months to do so before it would consider punitive measures.


Microsoft vice president and deputy general counsel David Heiner issued a statement to VentureBeat denying one of the charges. 

CNIL alleged that Microsoft was still transferring data to the United States under Safe Harbor policies that no longer apply to the U.S..

Safe Harbor is a European Union policy that allows consumer data to be stored abroad so long as it receives the same protections as E.U. law. It no longer applies to the U.S. because of domestic bulk surveillance programs. 

Safe Harbor stopped covering the U.S. in late 2015 and its replacement treaty, Privacy Shield, was only finalized last week. In the interim, there was an accepted workaround. 

“As we state in our privacy statement, in addition to the Safe Harbor Framework we rely on a variety of legal mechanisms as the basis for transferring data from Europe, including standard contractual clauses, a data transfer mechanism established by the European Commission and approved by European data protection authorities, to cover data flows from the European Union to the United States,” says the statement.

On the other charges, which included weak PINs protecting accounts, letting advertisers track computers without enough warning and collecting too much user data to use to improve the product, Microsoft appears willing to work with CNIL. 

“We will work closely with the CNIL over the next few months to understand the agency’s concerns fully and to work toward solutions that it will find acceptable,” says the statement.