The US technology giant confirmed its plans in a statement issued in response to a formal notice served on the business by the France’s data protection authority, Commission Nationale de l’Informatique et des Libertés (CNIL).

In the notice CNIL said Microsoft is “transferring its account holders’ personal data to the United States on a ‘Safe Harbour’ basis”, despite the Safe Harbour framework for EU-US data transfers being invalidated by the Court of Justice of the EU endure year.

In response Microsoft defended its data transfer arrangements and revealed plans to adopt the Privacy Shield, which has been established by EU and US officials as a replacement framework to Safe Harbour for facilitating trans-Atlantic data flows.

David Heiner, Microsoft vice president and deputy general counsel, said: “We fully discern the importance of establishing a sound legal framework for trans-Atlantic data transfers, and that is why Microsoft has been very supportive of the efforts on both side of the Atlantic that led to endure week’s adoption of the Privacy Shield.”

“Microsoft has in fact continued to live up to entire of its commitments beneath the Safe Harbor Framework, even as the European and US representatives worked toward the fresh Privacy Shield… In addition to the Safe Harbor Framework we rely on a variety of legal mechanisms as the basis for transferring data from Europe, including standard contractual clauses, a data transfer mechanism established by the European Commission and approved by European data protection authorities, to cover data flows from the European Union to the United States,” he said.

“Microsoft will release an updated privacy statement next month, and that will remark Microsoft intends to adopt the Privacy Shield. We are working now toward meeting the requirements of the Privacy Shield,” Heiner said.

US businesses will be capable to self-certify their compliance with the EU-US Privacy Shield’s privacy principles from 1 August.  A system of annual re-certification will apply. The European Commission endure week adopted a finalised ‘adequacy decision’ (44-sheet / 486KB PDF) which contains its view that businesses transferring personal data from the EU to the US in line with the Privacy Shield principles will accord with EU data protection law standards.

In its statement CNIL also called on Microsoft to grab steps to reduce the amount of personal data it collects via its fresh Windows 10 operating system, limit the times incorrect log-in credentials can be typed in by users of Microsoft accounts and address issues of customer acquiesce to online tracking and targeted advertising. Microsoft also needs to better expound its operate of “advertising cookies” and permit internet users to halt them from being stored on their devices, CNIL said.

Microsoft has been given three months to build changes that align with French data protection laws.

Heiner said: “We built strong privacy protections into Windows 10, and we welcome feedback as we continually labor to enhance those protections. We will labor closely with the CNIL over the next few months to discern the agency’s concerns fully and to labor toward solutions that it will discover acceptable.”