Lisa Jucca
BRUSSELS: The European Union's privacy watchdog wants further scrutiny of
Microsoft's .NET Passport system to see if it complies with data protection
laws, according to a document obtained by Reuters on Tuesday.
EU national privacy controllers, who monitor compliance with the bloc's
privacy laws, said an analysis conducted by their Internet Task Force showed
closer checks were needed. "Although Microsoft has put in place some
measures to address data protection, a number of elements of the .NET Passport
System raise legal issues and therefore require further consideration,"
said the document, adopted at a meeting in Brussels on Monday and Tuesday.
Launched in 1999, .NET Passport aims to simplify e-commerce by allowing
consumers to store passwords, credit-card numbers and other personal information
in one location. It has already registered over 100 million users. To register,
users have to provide personal data -- emails, usernames, passwords and, in some
cases, phone numbers. Microsoft says users supply data on a voluntary basis.
Microsoft said in a statement that it was fully in line with EU rules.
"We have a long history of working with the National Data Protection
Authorities in the EU member states and are always eager to hear and address
their concerns," it said.
Under EU data privacy rules, customers' personal data can only be used by a
firm or passed on to others with the prior consent of the individual.
Question marks on privacy
The EU document said controllers wanted to examine more closely whether .NET
Passport users were fully aware that some of their data would sometimes be
transferred to a party other than Microsoft, possibly located in a third
country.
The officials questioned the value and quality of the consent given by users
to such operations, and the data protection rules of the Websites affiliated to
.NET Passport. The experts also said they wanted to weigh the security risks
associated with such transfers.
In the light of their initial study, data controllers decided "to
undertake further analysis...to assess where the European data protection
principles are correctly complied with and, where appropriate to identify
elements of the systems that require changes," the document said.
Any breach of EU rules would require Microsoft to modify the way the system
collects personal information. While the Commission has authority to help member
states interpret EU law, any legal action would be launched by the individual
member states.
Several national privacy controllers said last month that associations aimed
at protecting privacy had been asking governments to open an investigation and
could get their way. Any investigation would be separate from a probe by the
competition arm of the Commission, which is looking into Microsoft's Windows
operating system, alleged to work better with its own server software than those
of its rivals.
(C) Reuters Limited.