Brussels, 30th January 2003
Data protection: Microsoft agrees to change its .NET Passport system after discussions with EU watchdog
The European Union's Working Party on data protection ("Article 29 Working Party") agreed on 29th January a working document on on-line authentication services. As well as some general material and some guidelines to be applied by all present or future on-line authentication systems, the document includes two case studies on the most prominent systems at present: the Microsoft .NET Passport system and the Liberty Alliance Project. Following discussions with the Working Party, Microsoft has agreed to implement a comprehensive package of data protection measures, which will mean making substantial changes to the existing .NET Passport system. The purpose of online authentication systems is to allow users who have registered and provided some form of identification, often including an e-mail address, and verification, often a password, to navigate through participating sites without having to introduce a different password for each one.
Internal Market Commissioner Frits Bolkestein said: "The European Commission welcomes this document. I would like to congratulate the Working Party for its constructive approach and the excellent results achieved. The bottom line is that users' data will now be better protected. The industry in general now needs to take on board the Working Party's guidelines when developing new systems".
After a first document published by the group in June 2002 in which the main issues at stake were identified, the Working Party has established an open and fruitful dialogue with Microsoft that has lead to Microsoft's commitment to make substantial changes in the .NET Passport system involving, among other things, a radical change of the information flow.
The most important result of the changes is that users will get much more information and choice as to which data they want to provide and under which conditions these data will be processed by Microsoft or the participating websites.
As the Working Party has underlined, the development of on-line authentication services needs to respect the data protection principles laid down in the 1995 Data Protection Directive and in the national laws implementing it.
The Working Party was set up under Article 29 of the Directive, to advise the European Commission on data protection questions. The Commission provides the group's secretariat but is not a member.
The document adopted by the Working Party is not related to and has no influence on the Commission's ongoing competition case against Microsoft (see IP/01/1232 and IP/00/906).
For more information please consult the group's own press release at: