On October 13th, the Dutch Data Protection Authority (Dutch DPA) announced that it had completed its investigation of Microsoft Windows 10 and determined that Windows 10’s default user privacy and consent settings violate Dutch data protection laws. This case is a prime example of why companies with employees, customers, prospective customers and/or operations located in Europe should understand their obligations under EU data protection laws.
First, Under EU data protection laws, companies that use computer software from vendors such as Microsoft, are increasingly obligated under EU laws, and the new General Data Protection Regulation (GDPR) coming May 25, 2018 in particular, to make sure that the company’s use of a vendor’s software such as Windows 10, does not violate EU data protection rights of persons located in the EU regardless of the person’s citizenship, including employees.
Second, EU member state data protection authorities expect companies with employees, customers, prospective customers and/or operations in the EU, to have a data protection compliance program which protects personal information about persons located in the EU, regardless of citizenship, from illegal processing including transfer of personal data out of the EU to the U.S. or other non-EU jurisdictions without EU adequate protections, such as EU-U.S. Privacy Shield compliance certification.
Third, now that companies are on official notice of the Dutch determination that Windows 10 default privacy and consent settings violate Dutch data protection laws, companies using Windows 10 are potentially liable for data protection violations caused by their use of Windows 10 in their operations in the Netherlands and potentially in other EU member states as well. This includes use of Windows 10 in relation to their customers, prospective customers and/or employees located in the Netherlands. Liability and fines are likely to be highest for companies that have offices in the Netherlands using Windows 10 in their consumer operations and by company employees. Penalties can increase if a company fails to fully cooperate with a data protection investigation or submits inaccurate responses during an investigation.
Finally, Companies with operations in the Netherlands using Windows 10, should at a minimum make reasonable efforts to change Windows 10’s user privacy and consent settings to comply with Dutch and EU data protection laws and seek help from Microsoft to do so if needed.
The key takeaways from this case for companies with employees, customers, prospective customers and/or operations in the Netherlands and/or other EU/EEA countries are:
- If you do not already have a compliance program covering EU data protection laws, consider adopting one if your company has any dealings with persons located in the EU or European Economic Area (EEA) regardless of those persons’ citizenship. Even a basic compliance program can help lower penalties in case of an investigation by an EU/EEA, U.S. and/or state data protection agency.
- Beginning on May 25, 2018, EU data protection fines will apply globally, impacting U.S. and non-U.S. subsidiaries of companies with employees, customers, prospective customers and/or operations in the EU/EEA. Fines can reach as high as 4% of a company’s gross global sales including all company subsidiaries. Actions by company subsidiaries that could violate EU data protection laws should be reviewed to make sure that the company is not involved in operations which violate EU/EEA data protection laws, particularly cross-border transfers of personal data from the EU/EEA to the U.S. or other non-EU jurisdictions.
- Treat any contact from EU/EEA, or U.S. or state data protection agencies such as the Federal Trade Commission, Department of Commerce, Securities and Exchange Commission, National Labor Relations Board, etc., with caution and discuss appropriate responses with your lawyer.
Author Linda V. Priebe, JD, CIPP/E is a Certified Information Privacy Professional/Europe (CIPP/E) and US data privacy and security compliance and federal relations attorney. She is former Deputy General Counsel, Ethics Official, and digital and social media counsel at the White House Office of Drug Policy (ONDCP) 1999-2013. She also served as Ethics Advisor in the White House Office of the Counsel to the President. Linda was counsel for the government in a dozen cases before the United States Supreme Court.
At Culhane Meadows Linda helps global businesses including telecommunications companies, SaaS providers, digital advertisers, employers, internet retailers, software developers and technology startups avoid costly legal mistakes from falling out of compliance with the flood of new international laws governing data privacy and security. With her 14 years of federal service spanning 3 Presidential administrations Linda is also a highly skilled and effective advocate before US government agencies and policy makers.
This Blog/Web Site is made available by Culhane Meadows, PLLC and its attorneys for educational purposes only and to provide general information about the law—not to provide you specific legal advice. By using this Blog/Web Site you understand that there is no attorney client relationship between you and any Culhane Meadows attorney. This Blog/Web Site should not be used or relied upon as a substitute for competent legal advice from a licensed professional attorney in your jurisdiction. Also, please note that although this Blog/Web Site is made available on the Internet, Culhane Meadows attorneys do not seek to practice law in any jurisdiction in which they are not properly authorized to do so.