France's data protection agency has issued a formal notice to Microsoft, banning the company from collecting user data in Windows 10.
Windows 10 collects "irrelevant and excessive data", making it not compliant with France's data protection law, the Commission nationale de l'informatique et des libertés (CNIL) said in a statement.
The operating system pulls in information on all the apps installed on users' computers and how much they're used, as part of its diagnostics and telemetry service to troubleshoot problems and to improve products.
But the data protection agency argued this approach was "not necessary for the operation" of telemetry service, and ordered Microsoft to stop gathering the information.
Data collected by Microsoft is being transferred to the United States under the old "safe harbour" provisions with the European Union, contravening an October 2015 ruling by the EU Court of Justice that said the provisions were illegal, the CNIL found.
The agency also criticised Microsoft for the lack of individual consent around targeted advertising in Windows 10, and for putting advertising cookies on users' computers without telling them or providing a way to opt out.
During its investigations between April and June this year, the CNIL noted that the PIN authentication method to access Microsoft online services in Windows 10 allows for an unlimited amount of tries, meaning user data is "not secure or confidential".
It leaves open the potential for attackers to guess the PIN and access purchases made in the Windows Store, or the user's payments instruments, the CNIL said.
Microsoft now has three months to ensure Windows 10 and associated services are compliant with French law.
If the IT giant fails to do so, CNIL can appoint an internal investigator who can propose unspecified sanctions against Microsoft for breaching the French data protection act.