Vincent Manancourt
04 May 2018
A Brazilian court has granted an injunction ordering Microsoft to change its default installation process for Windows 10, after finding the company violated several local laws by collecting users’ data without their express consent.
In an order issued on 30 April, federal judge Cristiane Faria Rodrigues dos Santos gave Microsoft 30 days to change Windows 10 settings to provide users with a “simple, easy and straightforward” way to withhold authorisation for their data to be collected.
The injunction follows a lawsuit filed by Brazil’s federal public prosecutor’s office (MPF) on 25 April, which accused Microsoft’s Windows 10 operating system of giving the company access to user data in a way that “violates the law and poses a risk to privacy”.
The injunction enacted most of the public prosecutors’ demands, but stopped short of ordering Microsoft to change its licenses and software codes to stop all collection of personal information. The judge said the court would need to hear technical evidence before considering this demand.
In its lawsuit, the MPF said Windows 10 violates Brazil’s internet law because it does not obtain “express consent” to collect user data. Prosecutors also allege that Microsoft is in breach of a consumer protection code requirement for products and services to “adequately and clearly” communicate the risks they present to users.
The MPF said in a statement that the default setting for Brazilian users of Windows 10 gives automatic approval for the company to collect user data, such as their location, email content, browsing habits and history. The prosecutors said turning this setting off is “a complex and laborious task”.
Prosecutor Pedro Antônio de Oliveira Machado, who filed the lawsuit, asked the judge to order Microsoft to put a stop to the “automatic” collection of data by Windows 10. The MPF is also calling for Microsoft to collect data “only with the express and previous consent of the consumers, who should be alerted, at the time of the option, about the consequences of [giving] such authorisation.”
In an email to Latin Lawyer sister publication Global Data Review, de Oliveira Machado said user data should only collected under “unequivocal” consent because “recent episodes… have shown that companies in the industry have not behaved in good faith towards their users”.
In the email, he warned of “serious and dramatic” consequences if the world did not move towards “regulation that strongly protects users against powerful economic and even political interests”.
The lawsuit also takes aim at Brazil’s federal government, which it accuses of failing to protect consumer rights. Prosecutors added that several federal government entities used Windows 10, creating a risk that private information could be made public.
The MPF is demanding that Microsoft pay a fine of at least 100,000 reais (US$28,520) for every day it fails to comply with any court decision in the prosecutors’ favour, as well as 10 million reais (US$2.9 million) for “damages already caused”.
De Oliveira Machado told GDR he decided to file charges against Microsoft after a member of the MPF’s IT department notified him of Windows 10 default data collection settings. After doing some “preliminary checks” himself, de Oliveira Machado ordered IT professionals at the MPF to investigate the software.
The lawsuit comes shortly after public prosecutors for Brazil’s Federal District launched an administrative investigation into Vivo, the country’s largest telecoms company, for allegedly allowing advertisers unlawful access to personally identifiable customer data.
Azevedo Sette Advogados partner Paulo Brancher said the public prosecutors’ targeting of well-known brands is part of a strategy to pressure Brazil’s Congress into enacting federal data protection regulations. Congress is currently debating two data protection bills.
When asked whether Brazil needs data protection regulation, de Oliveira Machado said: “the legal framework already provides for this to a certain extent, but [it] should be improved, including establishing mechanisms, such as fines, indemnities and mandatory compliance programs, to…discourage corporations [from] violating the privacy of their users”.
This is not the first time Microsoft has come under fire for the way its Windows 10 operating system handles user data.
In early 2017, the EU’s Article 29 Working Party said it was not satisfied by changes Microsoft had made to Windows 10 privacy settings in response to its concerns. In 2016, France’s data protection authority ordered the company to stop collecting “excessive data and tracking browsing by users without their consent”.
In a statement, a Microsoft spokesperson said: “We are committed to our customers’ privacy and putting them in control of their data. It is a priority for us to ensure that all of our products and services are compliant with applicable law and we welcome the opportunity to work with the MPF to address their comments related to Windows.”
Brancher expects a final judgement in “one or two years”.
This story was written for Global Data Review, a new service by Latin Lawyer’s publisher, Law Business Research. Find out more about GDR here.
https://latinlawyer.com/article/1169013/brazilian-court-orders-microsoft-to-change-data-collection-practices?utm_source=Law%20Business%20Research&utm_medium=email&utm_campaign=9446241_Latin%20Lawyer%20Headlines%2004%2F05%2F2018&dm_i=1KSF,5MGRL,9GPGR9,LUZMN,1