You could replace HIPAA with GDPR again, since almost any medical information about an identifiable individual will constitute sensitive personal data that requires the stronger protections under that law.
I suppose it could claim that, but I suspect it would be a tough sell with the regulators if Microsoft is uploading large amounts of data the user probably didn't even know about and some of that data turned out to include sensitive personal data.
Presumably most people don't compile that sort of data into executables, but the situation seems to be unclear about whether other types of file might also be uploaded through similar mechanisms, and there also seems to be something going on involving MS executing the files and allowing remote connectivity, so the issue still seems relevant.
I'm not sure the GDPR protections are invoked by you giving them personal data they didn't ask for, but it'd be an interesting case! (Seems like anyone could screw a company by putting their name+address in the comment field of an anonymous survey, etc?)
If the data was uploaded deliberately through a system they operated, it is hard to see how they would be anything other than the data controller within the GDPR framework, unless maybe they actively tried to avoid collecting the personal data and it was supplied anyway. But it would be hard to argue that was the case if they were uploading data in ways the user of the computer in question probably wasn't even aware of.
(As an aside, if they are sweeping data on such a broad scale without being transparent about it and the only authorisation for doing so is buried deep in some legal document, it would be interesting to consider whether they were not only potentially in breach of GDPR but also various criminal computer misuse laws.)
I couldn't find any internet information on data not deliberately collected, so it's possible that nobody has figured out how GDPR applies (or I had the wrong search terms).