Windows 10 privacy: Microsoft announces new controls aimed at EU customers
Microsoft has announced a public preview of a new option for enterprise customers to control Windows 10 diagnostic data (aka “telemetry”). The program is of particular interest to customers in the European Union and the European Economic Area, who are governed by strict data protection and privacy regulations under the European Union’s General Data Protection Regulation (GDPR).
Currently, Microsoft customers in these regions have two options for managing diagnostic data collected by Windows 10 and sent to Microsoft’s servers. They can allow Microsoft to be the controller of that data, potentially allowing personal information to be transferred across international borders, or they can opt-out of diagnostic data collection completely.
The latter option isn’t practical for most organizations, because it eliminates the ability of Windows Update to deliver security and driver updates that are tailored for devices in that organization.
The new data processor service option allows enterprise customers running Windows 10 Enterprise subscription editions (including Microsoft 365 E3 and E5) to designate their own organizations as the controller for that diagnostic data. (This option is not available for devices running Windows 10 under retail and OEM licenses.) With this configuration in effect, the organization acts as the data controller and Microsoft becomes the data processor, handling diagnostic data on behalf of the organization.
After an organization enables this option, diagnostic data from devices within the organization will be routed to a separate data store. Customers can then use their Microsoft Azure portal to respond to GDPR requests from people within the organization, including requests to delete that data, download a copy of the data for personal inspection, or restrict its processing.
This new option allows customers to take advantage of the changes Microsoft published to its online service terms in November 2019. With that update, Microsoft clarified it acts as a data controller when providing the cloud services for Azure, Office 365, Dynamics, and Intune, but “remain[s] the data processor for providing the services, improving and addressing bugs or other issues related to the service, ensuring security of the services, and keeping the services up to date.”
According to Microsoft’s Marisa Rogers, Windows, browsers, and devices privacy officer, the new policy has been under development for several months. Coincidentally, last week, the EU’s Court of Justice (ECJ) struck down the EU-US Data Privacy Shield, which had been designed to prevent the bulk collection and access of user information associated with EU citizens, especially by US law enforcement agencies. Today’s changes allow EU-based organizations to take control of that Windows 10 data and restrict Microsoft’s ability to respond to requests from US agencies for access to the data.
To enroll in the preview, organizations need to run Windows 10 Enterprise 1809 or later (or Windows Server 2019 or newer) and fill in the Public Preview Signup form, including their Azure Active Directory Tenant ID. The form requires acknowledging that enrollment removes access to the Desktop Analytics and Update Compliance features.
After enrolling, administrators can deploy the new data processor service using Group Policy or mobile device management software such as Microsoft Intune. Detailed documentation is available in the support article, “Data processor service for Windows Enterprise Overview.”
Microsoft expects the preview program to last approximately six months before it’s generally available.