Microsoft so far has dodged the biggest fines that European privacy watchdogs have imposed under the EU's General Data Protection Regulation (GDPR).
But the company could face a GDPR penalty after the Netherlands' data-protection office asked its Irish counterpart to investigate new aspects of Microsoft's Windows 10 telemetry data collection.
The case stems from the Dutch data-protection agency's (DPA's) findings in pre-GDPR 2017. At that time, the agency found that Microsoft didn't tell Windows 10 Home and Pro users which personal data it collects and how it uses the data, and didn't give consumers a way to give specific consent.
SEE: 20 pro tips to make Windows 10 work the way you want (free PDF)
As part of the Windows 10 April 2018 Update, Microsoft last year released new privacy tools to help explain to users why and when it was collecting telemetry data. And by April 2018, the Dutch DPA assessed that the privacy of Windows 10 users was "greatly improved" due to its probe, having addressed the concerns raised over earlier versions of Windows 10.
However, the Dutch DPA on Tuesday said while the changes Microsoft made last year to Windows 10 telemetry collection did comply with the agreement, the company might still be in breach of EU privacy rules.
"Microsoft has complied with the agreements made," the Dutch DPA told Reuters. "However, the check also brought to light that Microsoft is remotely collecting other data from users. As a result, Microsoft is still potentially in breach of privacy rules."
A breach could potentially expose Microsoft to GDPR fines of up to 4% of an organization's global revenue. Though it's unlikely Microsoft's breach would attract the maximum fine.
Nonetheless, this July the Dutch DPA put in a request with Ireland's DPA to take up the case. The move is significant because it's where most US tech giants locate their non-US headquarters, including Microsoft.
As TechCrunch notes, Ireland's DPA is Microsoft's lead privacy regulator in Europe and confirmed it had received the Netherlands' request.
READ MORE: What the future looks like as GDPR's one-year anniversary approaches
It's not clear exactly how Microsoft could have breached GDPR rules, but the Dutch DPA's statement mentions Windows 10 collecting non-diagnostic data and questions whether users are informed of this collection.
"We've found that Microsoft collect diagnostic and non-diagnostic data. We'd like to know if it is necessary to collect the non-diagnostic data and if users are well informed about this," the Dutch DPA said in a statement.
"Does Microsoft collect more data than they need to (think about data minimalization as a base principle of the GDPR)?. Those questions can only be answered after further examination."
ZDNet contacted Microsoft for its comments. A spokesperson responded:
The Dutch data protection authority has in the past brought data protection concerns to our attention, which related to the consumer versions of Windows 10, Windows 10 Home and Pro. We will work with the Irish Data Protection Commission to learn about any further questions or concerns it may have, and to address any further questions and concerns as quickly as possible.
Microsoft is committed to protecting our customers' privacy and putting them in control of their information. Over recent years, in close coordination with the Dutch data protection authority, we have introduced a number of new privacy features to provide clear privacy choices and easy-to-use tools for our individual and small business users of Windows 10. We welcome the opportunity to improve even more the tools and choices we offer to these end users.
More on Microsoft, Windows 10, and privacy