In a notice published on Wednesday, France’s National Data Protection Commission (CNIL) has ordered Microsoft to “stop collecting excessive user data” and to stop tracking the web browsing of Windows 10 users without their consent.

Microsoft was given three months to comply with the directive.

CNIL said it was alerted by the media and political parties to the possibility that Microsoft Corporation was collecting excessive personal data. The watchdog said it investigated and found that the company was collecting diagnostic and usage data via its telemetry service, which uses such data, among other things, to identify problems and to improve products.

CNIL said this data is excessive and unnecessary for the operation of the service.

The privacy watchdog also cited a lack of security, unwanted targeted advertising and a lack of option to block cookies as part of its grievances against Microsoft.

Microsoft is transferring its account holders’ personal data to the United States on a “safe harbour” basis but this has not been possible since the decision issued by the Court of Justice of the European Union on 6th October 2015, accused CNIL.

Safe Harbor is a European Union policy that allows consumer data to be stored abroad as long as it receives the same protections as E.U. law. It no longer applies to the U.S. because of domestic bulk surveillance programs. 

According to CNIL, the purpose of the notice is not to prohibit any advertising on the company’s services but, rather, to enable users to make their choice freely, having been properly informed of their rights.

“Should Microsoft Corporation fail to comply with the formal notice within the specified timescale, the Chair may appoint an internal investigator, who may draw up a report proposing that the CNIL’s restricted committee responsible for examining breaches of the Data Protection Act issue a sanction against the company,” the notice said.